AWS Lambda Security Best Practices
Getting Started with AWS Lambda Security
Introduction
10 years of Serverless, as AWS celebrates 10 years of AWS Lambda and ECS, and as Millions of customers use AWS Lambda every month it’s more and more important to know how to secure our Lambda Functions but before we do that we need to know what is “Serverless”
Note: if you don't know anything about the cloud and AWS I recommend reading this blog
What is Serverless?
We all know that managing servers has a lot of engineering overhead as you need to configure and maintain the servers you also need to figure out how you are going to scale etc. but with serverless you don't need to worry about any of that as it automatically provision all the infrastructure that your task needs and automatically scale, also it is redundant by default and when it comes to paying you only pay for the resources provisioned
Some people think that Serverless means that there are no servers and that's a misconception, as we saw it just means that you don't worry about managing the servers.
Now that we know what is serverless? let's see what are lambda functions
What is AWS Lambda?
AWS Lambda lets you run code without worrying about managing the server you just write the code and it takes care of the rest.
It supports a lot of run times like Node.js, Python, Java, C# (.NET Core). Go
and Ruby and you can have custom runtimes by using the AWS Lambda Runtime API.
Lambda Functions can run for 900 seconds or 15 minutes (Maximum) and the minimum is 1 second.
You only pay for execution time and the number of requests, there is a soft limit of 1000 concurrent requests per account per region but you can increase that number by contacting AWS support.
But you might ask what is the difference between Lambda Functions and EC2 instances?
AWS Lambda is used for short-term tasks since the maximum execution time is 15 min (900 seconds) while EC2 is better for long-term and steady tasks like running websites if you want to learn more about the difference i recommend reading this blog
Now that we know what is Serverless and AWS Lambda let's take a look at the AWS Lambda Security Best Practices
AWS Lambda Security Best Practices
Before we start talking about the AWS Lambda Security Best Practices, we need to learn about the AWS Shared Responsibility Model
AWS Shared Responsibility Model:
Security in the cloud is a shared responsibility between AWS and the customer where both AWS and the customer are responsible for securing workloads in the cloud
AWS is responsible for securing:
- The physical security of the data centers where AWS services are hosted.
- The underlying infrastructure that supports AWS services, such as the operating system, hypervisor, and networking.
- The availability of AWS services.
- The security of the AWS Cloud Platform, such as the prevention of unauthorized access to AWS infrastructure and data.
Customers are responsible for:
- The security of their code, and AWS IAM to the Lambda service and within your function.
- The configuration of AWS services, such as the creation of security groups and the use of encryption.
- The monitoring of their AWS environment for security threats.
- The compliance of their workloads with applicable regulations.
Now that we have learned about the AWS Shared Responsibility Model let's take a look at a few of the AWS Lambda Best Practices starting from the code security
AWS Lambda Function Code Security
For code security, there are a lot of security tools that you can use within the AWS Eco System like Amazon CodeGuru and Amazon Inspector since they integrate smoothly with AWS Lambda you can also consider AWS Security Partner Companies like Snyk
Amazon CodeGuru
Amazon CodeGuru Security is a Static Application Security Testing (SAST) tool that scans your code using Machine Learning to identify vulnerabilities in your code and give you recommendations on how you can fix it.
Amazon Inspector
Amazon Inspector is an automated vulnerability management service that scans your workloads like EC2 Instances, Containers, and Lambda Functions for software vulnerabilities and unintended network exposure and also tells you how to remediate those vulnerabilities
Recently Amazon Inspector added a Lambda Function Code Scanning Feature that you can check here 👇🏻
AWS Identity and Access Management (IAM)
As we saw in the AWS Lambda shared responsibility model that we are responsible for identity and access management (IAM), and whenever you think about identity and access management (IAM) you need to keep in mind a really important concept which is “Least Privilege” which means that your lambda functions should only have access to the minimum amount of permissions it needs to get the job done.
Let's see an example to understand this more because its a really important concept in security in general not just AWS Lambda Security
Lets imagine we have an AWS lambda function that need to Read a “Specific” Amazon S3 Bucket and Write data to a “Specific” DynamoDB table, Let’s see the IAM policy before and after applying the principle of least privilege.
❌ Before Applying Least Privilege (Don’t do that👇🏻)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "*"
}
]
}As you see “Action” and “Resource” have the “*” symbol which means that the AWS Lambda Function can perform all actions with “S3” and “DynamoDB” like deletion even though in this scenario we don't need to delete anything
✅ After Applying Least Privilege (Do that👇🏻)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::example-bucket-name/*"
},
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/example-table-name"
}
]
}Now if we look at this IAM policy we will see that only the “s3:GetObject”, “dynamodb:PutItem”, and “dynamodb:UpdateItem” actions are allowed with only specific resources which are “example-bucket-name” and example-table-name and that's a lot better for security
Monitoring & Logging
For Monitoring and Logging you can use Amazon CloudWatch and Amazon GuardDuty and since it integrates smoothly with AWS Lambda you can also consider AWS Security Partner Companies like Datadog
Amazon CloudWatch
Amazon CloudWatch lets you monitor and log all your resources and applications on AWS, and on-premises. but why is that important for AWS Lambda Security?
- You can get alerts when specific metrics pass a certain threshold for example when you get a usage spike or a lot of errors this can be because of a security incident
- It also helps you with Governance and Compliance since it logs everything
Amazon GuardDuty
Amazon GuardDuty is a threat detection service that monitors your AWS resources for suspicious activity but how does this help in securing you AWS Lambda Functions?
AWS GuardDuty has AWS Lambda Protection, which identifies suspicious network traffic and then reports it to you so you can take action. If you want to read more about this, I recommend reading this blog by AWS.
Secret Management
For Secret Management you can use AWS Secrets Manager since it integrates smoothly with AWS Lambda you can also consider AWS Security Partner Companies like HashiCorp Vault
AWS Secrets Manager
AWS Secret Manager is used to manage the life cycle of secrets, but why do we even need to manage secrets why cant it be inside the lambda function code?
Because this is so bad for security because:
- It can expose the secrets
- It makes it harder to rotate the secrets
- When we use a secret manager this helps with implementing the principle of least privilege as we can control who has access to the secrets
- If we didn't use a secret manager we won't be able to monitor and log who used the secrets and when
and a lot more that's why its really important that we use a secret manager and to keep in mind that encryption is not enough
TL;DR
This TL;DR was generated by ChatGPT
AWS Lambda Overview:
- AWS Lambda allows you to run code without managing servers, scaling automatically.
- Lambda supports multiple runtimes like Node.js, Python, Java, C#, Go, and Ruby.
- Maximum execution time is 15 minutes; you pay for execution time and requests.
AWS Shared Responsibility Model:
- AWS Responsibilities: Physical security, infrastructure security, service availability, and AWS Cloud Platform security.
- Customer Responsibilities: Securing code, managing IAM roles, configuring services, monitoring security threats, and ensuring compliance.
Lambda Code Security:
- Use tools like Amazon CodeGuru and Amazon Inspector for vulnerability scanning.
- CodeGuru: Identifies code vulnerabilities using Machine Learning.
- Amazon Inspector: Scans workloads for vulnerabilities and network exposure.
IAM Best Practices:
- Apply Least Privilege principle to Lambda functions. Grant only necessary permissions.
- Example of least privilege:
- Before: Broad permissions like
s3:*anddynamodb:*. - After: Specific actions like
s3:GetObjectanddynamodb:PutItemon precise resources.
Monitoring & Logging:
- Use Amazon CloudWatch to monitor and log Lambda functions and AWS resources.
- Use Amazon GuardDuty for threat detection and suspicious activity monitoring, including Lambda-specific protection.
Secret Management:
- Use AWS Secrets Manager to manage secrets securely.
- Avoid hardcoding secrets in Lambda code to reduce the risk of exposure.
- Secrets Manager allows for better access control, rotation, and logging of secret usage.
References
- The Overwhelmed Person’s Guide To AWS (Medium)
- 10 Years of Serverless with AWS Lambda and Amazon ECS (AWS)
- Introduction to AWS Lambda — Serverless Compute on Amazon Web Services (AWS)
- An Overview of Amazon EC2 vs. AWS Lambda (Tech Target)
- AWS Lambda Shared Responsibility Model (AWS)
- Security Overview of AWS Lambda — AWS Whitepaper (AWS)
- Security in AWS Lambda (AWS)
- Amazon CodeGuru (AWS)
- Amazon Inspector (AWS)
- Amazon Inspector: How to use Lambda Code Scanning (AWS)
- Security best practices in IAM (AWS)
- Amazon CloudWatch (AWS)
- Amazon GuardDuty (AWS)
- GuardDuty Lambda Protection (AWS)
- AWS Secrets Manager (AWS)
