Aqua Blog

What You Need to Know About AWS Lambda Functions Risk Mitigation

What You Need to Know About AWS Lambda Functions Risk Mitigation

With serverless functions architecture gaining in popularity, it is also becoming clear that the architecture is not without its security drawbacks. Overly permissive permissions, vulnerability in the functions’ code, and embedded secrets could all be exploited. Despite being event-triggered and ephemeral by nature, serverless functions can still be subject to unauthorized activity such as event injection attacks, where attackers hijack invocations.

Aqua Cloud Native Security Platform (CSP) addresses the security risks, and in this blog, we will discuss the risks and demonstrate how Aqua CSP secures AWS Lambda functions in development and in runtime.

The distributed nature of serverless architectures gives a malicious attacker plenty of room to maneuver, turning the greatest asset of a serverless application into its most dangerous foe – it gives attackers significantly more points of entry. Serverless functions receive data from multiple event sources such as API calls, message queues, cloud storage, and more. These event sources exponentially increase the attack surface.

Many of the risks–vulnerabilities in dependencies, exposed sensitive data, or overly permissive privileges, can be mitigated in the CI/CD pipeline during development. However, despite the preliminary precautionary steps, there are still risks that materialize during the functions’ runtime and require advanced security controls to mitigate them.

Serverless function execution durations are extremely short. Usually, functions execute in just a few seconds or even fractions of a second. That’s a good thing from a security standpoint, as the lack of persistence defends from classic attack scenarios. Still, there are attack options that can exploit functions, or use the functions as a stepping-stone to access additional resources in one’s cloud account. Those attacks typically use code injection techniques or serialization attacks that take place in runtime.

If you’d like to learn more about the security risks of serverless functions, read this previously published blog, where we discussed runtime protection for AWS serverless functions with Aqua CSP.

Aqua CSP integrates into your CI/CD pipelines to scan AWS Lambda functions code for vulnerabilities, malware, misconfigurations, and embedded sensitive data during development as well as whitelists the intended activity of the functions to secure the AWS Lambda functions from attacks in runtime.

In the following video, Aqua’s Ali Naqvi discusses the challenges and risks that AWS Lambda functions pose to enterprise environments, of which the main attack surface is the serverless functions’ code. Attackers can exploit vulnerabilities in the functions’ code as an entry point to launch an attack. Referencing the OWASP top 10 list, Ali discusses the top serverless functions security risks and demonstrates how Aqua CSP secures AWS Lambda serverless functions during development and in real time.

Aqua CSP is both Private Offer and Enterprise Contract-enabled in the AWS Marketplace, allowing you to leverage your existing billing mechanisms with AWS to purchase and deploy Aqua CSP quickly and seamlessly.

Presented in partnership with AWS, learn more about serverless security and how to secure your serverless workloads on AWS Lambda.

Aqua Team
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure and secure running workloads wherever they are deployed. Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.