Best Security Practices for AWS Lambda

By
nagamani sanagala
-

AWS Lambda

What is AWS Lambda?

AWS Lambda architecture is a serverless cloud service that allows teams to build applications, services, and APIs quickly, without having to deal with complicated infrastructure like servers and virtual machines. 

AWS Lambda executes application code. It allows developers to create applications as a set of Lambda functions and then deploy them in AWS Lambda. AWS is responsible for provisioning all required computer resources in order to execute these functions. With Lambda, you’re free from having to deal with complicated virtual machines and networks.

All AWS Lambda service functions can be triggered by various events, including HTTP requests, a change in a database record, emails or SMS, etc. Once an event is triggered, Lambda’s function code is executed. This code then interacts with other AWS services, including a system’s database, where it sends an output.

Data protection in AWS Lambda

Lambda allocates an execution environment for each individual function invoked. Lambda’s execution environment provides a file system (‘/tmp’) that application developers can use to store any temporary data related to the execution of a function.

In order to provide a safe storage environment for application data, execution environments are never shared across multiple user accounts. Still, AWS does not recommend storing security-sensitive data, including payment details or customer information, in its execution environment. Instead, consider storing your security-sensitive data in EC2 Systems Manager Parameter Store or Lambda’s Environment Variables with Encryption Helpers.

Security Overview of AWS Lambda

With AWS Lambda, it’s your team’s responsibility to ensure the security of all software code, resource configurations, and access management. The following is a list of your team’s responsibilities regarding Lambda’s security configurations, including:

  1. Application code and security
  2. VPC and networking settings
  3. IAM permissions and roles
  4. Access to Lambda’s deployment process/APIs
  5. Function security in relation to other cloud services

Let’s take a look at some Best Practices when it comes to implementing security in these aspects.

Grant Least Privileges

Lambda adheres to the ‘principle of least privilege’. When providing access to Lambda’s functions, only grant the least number of privileges possible for a user to perform their intended actions.

Lambda is fully integrated with AWS IAM. Feel free to use IAM policies to grant privileges to Lambda’s functions via execution roles. Execution roles are any IAM roles that define what AWS resources can be accessed from Lambda’s functions. In accordance with the concept of least privilege, each Lambda function must be configured with an execution role that allows access to required resources only. In addition, the execution role can only allow any essential operations to be executed on those resources. 

IAM is also used to define resource-based policies regarding Lambda’s functions. Resource-based policies state which AWS services are authorized to invoke a function. This permission can only be granted to essential AWS resources for each function.

Consider Dash ComplyOps to help you identify and resolve permission issues across your AWS environment.

Take the following steps to limit access:

  • Set granular IAM permissions regarding all Lambda functions
  • Using IAM permissions, limit user access to only necessary resources and operations
  • Remove all unused or outdated IAM users, roles, and permissions
  • Review and adjust IAM permissions periodically

Granting the least amount of privileges possible is no easy feat; it requires extensive planning and consideration. It’s much easier to allow maximum privileges regarding all functions in the development phase, and then configuring the individual privileges in the final stage — just before the product is released. 

Serverless applications often consist of thousands of functions, all requiring individual policies. This makes testing extremely challenging in the final stages of development. 

This is why it’s so important that all functions are designed with granular permissions rather than large groups of permissions. Development practices like DevSecOps must be adopted in the early stages of development if a company wishes to make the most of the principle of least privilege. 

Continuously Monitor Your Applications 

All of the Best Practices above can enhance the security of your serverless applications by eliminating weaknesses and reducing areas susceptible to attack. All of this makes it harder for attackers to exploit your application; however, a security team cannot be everywhere at once. You can never be too sure that all possible threats have been eliminated.

This is why cloud and application monitoring is such an important part of security. Monitoring provides you with the insight required about what’s going on with your AWS Lambda types of applications. It allows you to identify any potential security vulnerabilities before cybercriminals have the chance to exploit them. Should an attack materialize, monitoring allows you to detect it quickly and take the appropriate action to correct and reduce the impact. Dash ComplyOps assists teams by continuously monitoring the security and configuration of Lambda applications and cloud resources across AWS environments.

AWS Lambda Security Best Practices

Although developing secure serverless architecture may seem like a daunting task, nevertheless, your team needs to be able to address security concerns properly.

All DevOps and security teams should consider the following best practices when building functions and designing serverless applications in AWS Lambda:

  • Utilize one IAM Role per Lambda function only
  • Don’t store any AWS Credentials within Lambda’s function code or configuration
  • Store secrets only in EC2 Systems Manager Parameter store or Lambda’s Environment Variables using encryption helpers
  • When using API Gateway, set all API authorization and configuration settings
  • Apply ‘the principle of least privilege’ to all VPCs relating to functions via the use of function-specific subnets and network ACLs
  • Set all access control standards and limit access to Lambda’s APIs and deployment processes
  • Monitor Lambda’s availability and performance via CloudWatch.
  • Ensure security settings for all cloud resources connected to Lambda’s functions are in place (consider Dash ComplyOps)
  • Set only the most highly restrictive permissions possible regarding IAM policies
  • Delete all Lambda functions that are currently not in use

Conclusion

There is no doubt about it — Amazon Lambda reduces application development time and simplifies operational activities. However, security teams can not afford to overlook the security configuration and planning required in order to build secure cloud applications.

Nothing is 100% foolproof. As such, applications produced with Lambda are not inherently secure. It’s up to you to implement the required security in your application code and all connected cloud services. 

The only way to stand up to external threats is with continuous compliance monitoring. This way, your team can guarantee uninterrupted, secure applications built on AWS Lambda.

Dash ComplyOps deploys to your environment, assisting security teams with security and compliance across the AWS cloud. Learn more about how teams manage their AWS security programs with Dash Continuous Compliance Monitoring.

RELATED ARTICLESMORE FROM AUTHOR