DEV Community

Cover image for Serverless Security: Building Trust in the Cloud
Rushabh Trivedi
Rushabh Trivedi

Posted on

Serverless Security: Building Trust in the Cloud

#serverless #lambda #apigateway #security

Recently I got an awesome opportunity to speak in the Devloper talks at AWS Summit Bangaluru-2025. I had applied for the talk and luckily my talk was selected. Now the real struggle starts - gathering all the scattered thoughts from your mind, relate them and finally put them in a presentable format which you can explain in a very leyman's terms.

Image description

I would like to compile the talk here in a blog.

There are few key aspects in the serverless security which need to be covered to make a secure application. we need to consider security at different layers of your application.

  • Identity and Access Management (IAM)
  • API gateway
  • Lambda Function
  • Data
  • Monitoring and Logging
  • DDoS Protection

Security in serverless isn't about protecting servers - it's about protecting identities, permissions, and the code itself.
 - Chris Munnas
AWS Serverless Specialist

Before diving deep into the details, lets have a look at where does the usage of the serverless services stands today.

Image description

Let's understand the unique security considerations which makes the security in the serverless much different and tricky than the conventional systems with servers.

Image description

Let's explore each aspect in above image one by one in details.

  1. Short Lived Execution of Lamda Function - The Lambda functions are ephemeral by nature. They spin-up quickly when invoked and vanish off once execution is done. This makes harder to maintain a stateful security controls and brings down a security implication that the attacks need to be detected fast.

  2. Increased Surface Area - Typically a serverless app contains too many small, purpose build functions (usually known as microservices). This results in a broader attack surface which increases chances of misconfigured permissions, unpatched dependencies etc.

  3. Event-Driven Nature -  Functions are invoked by various events like API gateway, S3, SNS etc. Any misconfigured even can lead to a security issue.

  4. Dependency on Managed Service - A typical serverless application uses multiple managed services like dynamoDB, API gateway, S3, SQS, SNS. In case if we fail to configure the permissions properly can lead to un-intended data access/Excessive privilege exposure. 

  5. Multi-Tenant Risks - In a multi-tenant environment, there are chances that the data is stored on a shared storage like a same dynamodb table or a common s3 bucket. Failure on managing permissions properly can lead to exposing the data of one tenant to another.

Now having the base set for the detailed understanding on various security aspects, lets have a walk through on security at service level.

Identity and Access Management (IAM)

  1. Principle of Least Privilege - Assign roles and policies to each Lambda function. Also you want to ensure that the function has access to the resources only which it needs. Avoid sharing roles across functions.

  2. IAM Role Scoping - Scope IAM roles narrowly and specifically to the function's purpose. Avoid using wildcards '*' unless necessary.

  3. Custom IAM Policies - Avoid using managed policies from the IAM. Create custom tailored policies.

Use tools like AWS Access Analyzer and IAM Access Advisor to audit and optimize permissions continuously.

Now your permissions are all set! next comes is the API Gateway.

API Gateway

There are many key areas on which you can apply security for securing the API gateway. I will not cover all here just to keep this blog small and precise.

  1. Lambda Authorizer - You can evaluate token, Generate allow/Deny policy, and optionally populate the context attributes in the request context.

  2. API keys and usage plans - now your authorized users are coming into the system, but there are chances that some of the authorized users can make thousands of API callas and would hamper overall performance of your system or may cause un-availability of the services. you can define API keys for each of your tenant and associate them with the usage plans - say this API key is eligible for 100 request/day

  3. OAuth and OpenId Connect - For more advanced authentication scenarios, you can use OAuth 2.0 or OpenID Connect (OIDC) via Amazon Cognito

Lambda Function

  1. Principal of Least Privilege - Assign minimal IAM permissions to Each Lambda. Avoid using wildcards like s3:* or dynamodb:*.

  2. Patch Dependencies and Libraries​ - Regularly update function's dependencies. Use tools like npm audit, pip-audit, or Snyk to detect vulnerabilities.

3.Secure Environment Variables - Do not hardcode environment variables rather use the secrets manager and KMS.

  1. Monitor and Log Everything - Enable CloudWatch Logs and use AWS X-Ray for tracing. Use CloudTrail to track changes to Lambda and IAM policies. Set up Amazon GuardDuty for real-time threat detection

  2. Set Timeouts and Memory Limits - smartly set the timeouts and the memory limits

  3. Network Security with VPC Integration​ - For sensitive workload, prefer to run the Lambda functions inside thr VPC.

  4. Code Signing - Implement code signing to verify that the code is not tempered.

Data Security

You have reached to the lambda, now lambda is generating/fetching data into an end system. You need to have a layer of security there on the data also.

Primarily there are 2 main aspects of the data security 

  • Encryption
  • Secure storage

Encryption can be applied at 2 level, at rest and in transit - apply KMS keys to encrypt data at rest and https/sftp to secure data in transit

Apply strict access policies and IAM permissions to protect data in the storage

Monitoring & Logging

Observability is always a key aspect in any system epecially when you have such a event-driven and widely distributed system.
AWS has a suite of services at your rescue.

  1. AWS CloudTrail - Tracks AWS API calls (Lambda, API Gateway, etc.)
    Detects who invoked a Lambda, when, and from where - critical for compliance and incident response.

  2. Amazon Cloudwatch Logs - Enable Lambda logging through CloudWatch. This helps troubleshoot errors, performance bottlenecks, and anomalies. 
    Capture logs and set alarms based on the - High error rates, long execution duration, timeouts.

  3. CloudWatch Metrics - Monitor Lambda performance. Detect failures and address issues proactively.

  4. GuardDuty - Enable GuardDuty for continuous monitoring of malicious activities and security threats.

DDoS Protection

  1. AWS WAF - Use AWS WAF to protect your APIs (via API Gateway) from common web exploits such as SQL injection and cross-site scripting (XSS). It also helps in blocking malicious traffic.

  2. AWS Shield - AWS Shield provides protection against DDoS attacks. It's important to leverage AWS Shield Advanced for more advanced DDoS protections.

  3. Rate Limiting - Set up rate limiting and quotas in API Gateway to protect against abuse and mitigate the risk of DDoS attacks.

Its awesome if you have been with me and have gone through this big blog. I know there is a lot to understand and digest here. I am summarizing the checklist here for you.

  1. Use least privilege IAM
  2. Regularly rotate the credentials
  3. Enable observability where ever possible
  4. Encrypt everything you can
  5. Protect endpoints and validate inputs
  6. Manage your secrets properly.

Here is a sample serverless application architecture you can refer where I have tried to add security at all possible level

Image description

Thanks for reading and support. Do add comments for suggestions/improvements/discussions. I would be happy to connect with you awesome people.

You can connect with me on my LinkedIn.

Top comments (0)