Serverless Security
What is Serverless Security?
Serverless SecurityThe practice of securing event-driven, function-based workloads such as AWS Lambda, Azure Functions, and Google Cloud Functions, where the underlying servers are managed by the provider.
Serverless shifts patching and host security to the provider but introduces new risks: many small functions, ephemeral execution, event-source sprawl (S3, SQS, EventBridge, API Gateway), and tightly bound IAM permissions. Key controls include least-privilege execution roles per function, signed and SBOM-attached deployment packages, dependency scanning (SCA), validating untrusted event payloads, encrypted environment variables, short timeouts and concurrency limits to blunt abuse, and runtime application self-protection or eBPF telemetry from the platform. The OWASP Serverless Top 10 and Cloud Security Alliance guidance describe typical issues such as event injection, over-privileged functions, and insecure deployment configurations.
● Examples
- 01
An AWS Lambda with an IAM role allowing s3:* to all buckets after a small CloudFormation typo.
- 02
Datadog or Snyk scanning Lambda dependencies and flagging vulnerable npm packages.
● Frequently asked questions
What is Serverless Security?
The practice of securing event-driven, function-based workloads such as AWS Lambda, Azure Functions, and Google Cloud Functions, where the underlying servers are managed by the provider. It belongs to the Cloud Security category of cybersecurity.
What does Serverless Security mean?
The practice of securing event-driven, function-based workloads such as AWS Lambda, Azure Functions, and Google Cloud Functions, where the underlying servers are managed by the provider.
How do you defend against Serverless Security?
Defences for Serverless Security typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Serverless Security?
Common alternative names include: FaaS security, Lambda security.