Avoiding AWS Lambda Risks with Best Practices

CIEM Governance Automation Platform Best Practice Skill Level: Technical
Reading Time: 4 minutes
AWS Lambda Security Best Practices

There’s no question that AWS Lambda remains the incumbent leader for serverless computing. Further growth is expected as well following Lambda’s recent enhancements — including the ability to allocate up to 10 GB of memory to a Lambda function (a threefold increase) and the ability for users to have up to six vCPUs in each execution environment for faster multithreaded and multi-process applications.  This blog will cover AWS Lambda risks, and provide the security considerations you need to reduce security risks and get the most out of your AWS Lambda service. 

AWS Lambda: A Brief Overview

If you’re experienced in AWS Lambda, feel free to skip over this section. For those new to the service and looking to learn, here is a quick primer on how the service works. 

In short, AWS Lambda is a service that lets you run code without having to provision or manage your own servers. It’s great for processing workloads that are memory or computationally intensive. 

Since its release in November 2014, Lambda has become increasingly popular due to the variety of benefits the service offers.

Continuous Scaling

AWS Lambda lets you scale applications by running code according to each event for more precision depending on the size of the workload. 

No Backend Management

Lambda offers a cloud-native experience, enabling you to run code without being responsible for managing any infrastructure. All you have to do is write code and upload it to Lambda as a .zip file or container image. 

Subsecond Metering

Lambda’s model allows you to only pay for the compute time that you consume, meaning you won’t have to worry about overpaying for infrastructure. Lambda charges are calculated by every millisecond your code executes and the number of times your code is triggered.

AWS Lambda Security Best Practices 

As you can see, AWS Lambda is a pretty powerful and widely used service. And because the service runs on AWS, it’s inherently very secure through Amazon’s high-quality architecture.

That said, there are some special considerations that need to be taken to secure AWS Lambda. Here are some AWS Lambda security best practices to consider:

Keep Your Lambdas Separate 

To avoid data leaks, AWS recommends that you don’t store user data, events and other data with security implications in the execution environment. AWS also recommends creating separate functions and separate function versions for each user, for functions that rely on a mutable state that can’t be stored in memory within the handler. 

Use an API Gateway 

Using an API gateway is a no-brainer for this type of service. A gateway can serve as a front door to the Lambda function, ensuring that only authorized identities are accessing it. Amazon offers their own API Gateway to create and document web APIs that route requests to specific Lambda functions. 

Using the API Gateway, you can secure access to each Lambda function and maintain strict authorization authentication. For more information on how to use AWS Lambda with the Amazon API gateway, read the docs.

Use Tight IAM Governance 

AWS Identity and Access Management (IAM) enables administrators to control access to AWS resources. This service enables administrators to control who is authenticated and authorized to use Lambda resources as well as configure what the lambda’s themselves are privileged to do.

For further protection, you can also use the Sonrai Dig platform to streamline IAM governance with AWS Lambda functions and all other AWS services. Sonrai Dig uses AWS APIs to integrate with AWS and delivers advanced analytics to help security teams provision and manage permissions. Sonrai integrates seamlessly with AWS for a powerful and centralized IAM experience.

Sonrai Dig’s CIEM Solution for AWS Lambda Risks

Most employees have access entitlements they don’t need and probably shouldn’t have, but with over 40% of machine identities being over-privileged, securing non-person identities is a massive part of Cloud Infrastructure Entitlement Management.

A mature CIEM solution like Sonrai Dig can inventory all non-person identities, like Lambda functions, and map out their end-to-end permissions. Then, using graphing technologies, map out these permission chains for easy visualization. Understanding and assessing the priorities of identity risks allows you to work towards achieving least privilege for all non-person identities. This entails machines and functions like Lambda possessing the minimum privileges necessary to complete their job, for the minimum amount of time. With a CIEM solution, after your organization has reached its desired policy, the CIEM tool will monitor against the desired baseline to notify you any time a Lambda function accesses a resource it shouldn’t, or never has before. 

With Dig’s intelligent workflows and automated remediation, a deviation from the baseline would be presented to the team responsible for the issue – and promptly. To make sure a concern is addressed immediately, where a manual ticket would have been issued for a security team to respond to, Sonrai Dig’s automated remediation capability would strip access or suspend the machine’s identity to prevent further risk.

This is just one of the many ways that Sonrai makes cloud management easier, safer, and faster for security teams. Sonrai can serve as your organization’s complete end-to-end IAM, CIEM and data governance solution, helping you deploy services at the speed and scale of the cloud—with the confidence that comes with knowing your systems are protected.

To continue your learning on AWS cloud security risks and read how Sonrai works with AWS. Better yet, contact us and demo Sonrai Dig today to see for yourself.