With serverless functions architecture gaining in popularity, it is also becoming clear that the architecture is not without its security drawbacks. Overly permissive permissions, vulnerability in the functions’ code, and embedded secrets could all be exploited. Despite being event-triggered and ephemeral by nature, serverless functions can still be subject to unauthorized activity such as event injection attacks, where attackers hijack invocations.
AWS Lambda Functions Risk Mitigation
Aqua Cloud Native Security Platform (CSP) addresses the security risks, and in this blog, we will discuss the risks and demonstrate how Aqua CSP secures AWS Lambda functions in development and in runtime.
The distributed nature of serverless architectures gives a malicious attacker plenty of room to maneuver, turning the greatest asset of a serverless application into its most dangerous foe – it gives attackers significantly more points of entry. Serverless functions receive data from multiple event sources such as API calls, message queues, cloud storage, and more. These event sources exponentially increase the attack surface.
Many of the risks–vulnerabilities in dependencies, exposed sensitive data, or overly permissive privileges, can be mitigated in the CI/CD pipeline during development. However, despite the preliminary precautionary steps, there are still risks that materialize during the functions’ runtime and require advanced security controls to mitigate them.
Serverless function execution durations are extremely short. Usually, functions execute in just a few seconds or even fractions of a second. That’s a good thing from a security standpoint, as the lack of persistence defends from classic attack scenarios. Still, there are attack options that can exploit functions, or use the functions as a stepping-stone to access additional resources in one’s cloud account. Those attacks typically use code injection techniques or serialization attacks that take place in runtime.
If you’d like to learn more about the security risks of serverless functions, read this previously published blog, where we discussed runtime protection for AWS serverless functions with Aqua CSP.
Aqua CSP integrates into your CI/CD pipelines to scan AWS Lambda functions code for vulnerabilities, malware, misconfigurations, and embedded sensitive data during development as well as whitelists the intended activity of the functions to secure the AWS Lambda functions from attacks in runtime.
In the following video, Aqua’s Ali Naqvi discusses the challenges and risks that AWS Lambda functions pose to enterprise environments, of which the main attack surface is the serverless functions’ code. Attackers can exploit vulnerabilities in the functions’ code as an entry point to launch an attack. Referencing the OWASP top 10 list, Ali discusses the top serverless functions security risks and demonstrates how Aqua CSP secures AWS Lambda serverless functions during development and in real time.
Presented in partnership with AWS, learn more about serverless security and how to secure your serverless workloads on AWS Lambda.
