Amazon dominates the cloud computing market with Amazon Web Services (AWS). In fact, AWS has a 41.5% market share in the public cloud market. With more than 1 million active enterprise users in 190 countries, AWS has five-times the deployed cloud infrastructure of their next 14 competitors combined. This is the perfect platform for the latest darling of application developers everywhere.
AWS Lambda is a hugely popular serverless offering from AWS. Being serverless means it’s fully managed, relieving users of the need to maintain their own servers to perform application-specific functions.
AWS Lambda is event-driven. Hence, it can execute code based on the response of multiple events in AWS services like table updates in Amazon DynamoDB, HTTP requests through Amazon API Gateway, or modifications to objects in Amazon S3 buckets, etc. AWS Lambda is thus widely used by application development teams to improve performance, achieve scalability, and enhance cost-effectiveness.
As has always been the case with the public cloud, information security is a core functional requirement for AWS customers to protect mission-critical information from theft, leakage, or deletion.
If you are an existing or potential customer of AWS Lambda, then you must know more about a few security measures.
Let’s use this article to create a security checklist for AWS Lambda that you can use.
A shared-responsibility model
Before getting to the checklist, one must understand the shared-responsibility model that AWS infrastructure operates under. This assumes that security is a shared responsibility between AWS and the customer.
Under a shared-responsibility model, AWS provides a secure and global infrastructure for computing, storage, networking, and database services. It is responsible for providing various security services to customers for securing their assets.
The customers, on the other hand, are responsible for protecting the integrity, confidentiality, and availability of their data in the cloud.
Simply put AWS is responsible for ‘security of the cloud‘ while the customers are responsible for ‘security in the cloud‘.
For AWS Lambda, AWS takes care of the underlying infrastructure and foundation services, the application platform, and the operating system. The customer takes care of the storage, code security, data accessibility, and IAM.
AWS Lambda security checklist
Let’s consider some best practices for you to define your security management system and build a set of security policies for your organization to protect your assets and data.
When dealing with serverless architectures like AWS Lambda, instead of implementing security through antivirus, malware software, intrusion detection, file integrity monitoring, or firewalls, one should focus on other best practices.
Generating AWS IAM roles with the fewest privileges
The AWS IAM is a powerful permission model among cloud providers. But it is also the reason why one must be extra careful while setting up IAM.
When creating IAM policies, you should always follow the principle of least privilege for permissions. This least permission model can help save your sensitive data in some conditions.
As opposed to a least permissive role, an overly permissive IAM role can be used by an attacker to leverage an application-layer vulnerability in your function to perform lateral movement into other resources in your AWS account.
While designing an application for AWS Lambda, you must break down things into more manageable and logical components to compartmentalize different capabilities from one another.
Ideally, every Lambda function within your AWS account should have a 1:1 relationship with an IAM role.
Logging and audit trails for AWS Lambda
During cyberattacks, attackers usually scout for weaknesses and potential vulnerabilities that they can exploit. It has been observed that a lack of real-time incident response can give attackers an advantage. This lack of real-time response often stems from the failure to detect early signals of the attacks.
Therefore, efficient and real-time event monitoring and logging can help prevent many cyberattacks.
Since the serverless architecture resides in a cloud environment outside of the organizational data center perimeter, the on-premise security tools or processes for event monitoring become ineffective.
To keep an eye on potential security incidents in AWS Lambda, a serverless architecture, AWS provides two logging tools namely CloudWatch and CloudTrail.
Temporary AWS credentials
It’s advisable to avoid having any long-lived AWS credentials included within the Lambda function code. One can, instead, create AWS service clients within the code through the AWS SDK without providing any credentials. The SDK can then automatically manage the retrieval and rotation of the temporary credentials generated.
However, there might also be cases where the execution role might be insufficient for the type of access a particular function requires. This can happen with some cross-account integrations the Lambda function might perform. For such cross-account use cases, one needs to grant the execution role access to the AssumeRole API within the AWS Security Token Service.
In the case of user-specific control policies, your function should be provided with the specific user identity and integrated with the Amazon Cognito API GetCredentialsForIdentity.
Define and categorize assets
One should identify all the information assets that need protection and then conceive a technically and financially viable solution for protecting them.
The assets can be classified as essential elements (like business information, process, and activities) or components supporting essential elements (like hardware, software, personnel, sites, and partner organizations).
Designing an information security management system to protect assets
After determining the assets, categories, and costs, one must establish a standard for implementing, reviewing, monitoring, improving, and maintaining your information security management system (ISMS).
Using an API gateway gives you the ownership of authentication and authorization of your API clients. An API gateway can provide things like native AWS SigV4 authentication, generated clients SDKs, and custom authorizers, etc.
Hopefully, this checklist might have given you some useful information on how to ensure the security of AWS Lambda.
If you need any more help, you can always get in touch with us at www.forgeahead.io.