AWS Lambda Security
¿Qué es AWS Lambda Security?
AWS Lambda SecurityThe security model and operational hardening of AWS Lambda functions — execution role least-privilege, layer integrity, code-signing, environment-variable secrets, VPC posture, and runtime threats specific to ephemeral compute.
AWS Lambda security combines familiar appsec concerns with serverless-specific risks. Each function ships with an execution IAM role that the function code can assume in-process via STS, so over-broad role policies turn a single vulnerable function into broad cloud access — the leading Lambda finding in cloud audits. Lambda layers and container images introduce a software-supply-chain surface: a malicious or compromised layer is shared across many functions and rarely re-scanned. Environment variables are the default way to inject secrets but are visible in IAM `lambda:GetFunctionConfiguration` and to anyone who can invoke `aws lambda update-function-configuration`; Secrets Manager / Parameter Store references are preferred. VPC-attached Lambdas inherit network posture: a function in a misconfigured subnet can reach internal services it should not. Runtime threats — cryptojacking miners, info-stealers — have appeared but are less common than in EC2 due to short-lived execution. AWS Code Signing and Lambda function URLs added authentication and signed-deployment options in 2022. Defenses include least-privilege execution roles, layer pinning and signing, secrets via Secrets Manager not env vars, dedicated VPC/subnet design, CloudTrail data events for invocation logs, and runtime monitoring (Sysdig, Datadog, AWS GuardDuty Runtime Monitoring for Lambda).
● Ejemplos
- 01
A function reads secrets from AWS Secrets Manager at cold start, with its execution role limited to one specific secret ARN.
- 02
GuardDuty Runtime Monitoring flags a Lambda function that began making outbound DNS queries to a known mining pool.
● Preguntas frecuentes
¿Qué es AWS Lambda Security?
The security model and operational hardening of AWS Lambda functions — execution role least-privilege, layer integrity, code-signing, environment-variable secrets, VPC posture, and runtime threats specific to ephemeral compute. Pertenece a la categoría de Seguridad en la nube en ciberseguridad.
¿Qué significa AWS Lambda Security?
The security model and operational hardening of AWS Lambda functions — execution role least-privilege, layer integrity, code-signing, environment-variable secrets, VPC posture, and runtime threats specific to ephemeral compute.
¿Cómo funciona AWS Lambda Security?
AWS Lambda security combines familiar appsec concerns with serverless-specific risks. Each function ships with an execution IAM role that the function code can assume in-process via STS, so over-broad role policies turn a single vulnerable function into broad cloud access — the leading Lambda finding in cloud audits. Lambda layers and container images introduce a software-supply-chain surface: a malicious or compromised layer is shared across many functions and rarely re-scanned. Environment variables are the default way to inject secrets but are visible in IAM `lambda:GetFunctionConfiguration` and to anyone who can invoke `aws lambda update-function-configuration`; Secrets Manager / Parameter Store references are preferred. VPC-attached Lambdas inherit network posture: a function in a misconfigured subnet can reach internal services it should not. Runtime threats — cryptojacking miners, info-stealers — have appeared but are less common than in EC2 due to short-lived execution. AWS Code Signing and Lambda function URLs added authentication and signed-deployment options in 2022. Defenses include least-privilege execution roles, layer pinning and signing, secrets via Secrets Manager not env vars, dedicated VPC/subnet design, CloudTrail data events for invocation logs, and runtime monitoring (Sysdig, Datadog, AWS GuardDuty Runtime Monitoring for Lambda).
¿Cómo defenderse de AWS Lambda Security?
Las defensas contra AWS Lambda Security combinan habitualmente controles técnicos y prácticas operativas, como se detalla en la definición.
¿Cuáles son otros nombres para AWS Lambda Security?
Nombres alternativos comunes: Serverless security (Lambda), Lambda hardening.
● Términos relacionados
- cloud-security№ 1122
Seguridad serverless
Práctica de proteger cargas basadas en eventos y funciones, como AWS Lambda, Azure Functions o Google Cloud Functions, donde el proveedor gestiona los servidores subyacentes.
- cloud-security№ 486
Funciones como Servicio (FaaS)
Modelo serverless en el que funciones efímeras se ejecutan bajo demanda ante eventos, mientras el proveedor gestiona servidores, escalado y entorno de ejecución.
- cloud-security№ 561
Configuración incorrecta de IAM (cloud)
Ajustes inseguros o demasiado permisivos del IAM en la nube que permiten a usuarios, roles o servicios realizar acciones más allá de lo que realmente necesitan.
- cloud-security№ 212
Robo de tokens en la nube
Robo de tokens OAuth, SAML o de firma desde un servicio de identidad cloud y su reutilizacion para suplantar a usuarios o servicios sin necesidad de contrasenas.
- appsec№ 512
Secretos en el código (hardcoded)
Incrustar credenciales, claves API, tokens o material criptográfico directamente en el código, ficheros de configuración o imágenes de contenedor, donde se descubren y abusan con facilidad.
- identity-access№ 955
Principio de mínimo privilegio
Principio de seguridad que otorga a cada usuario, proceso o servicio sólo los privilegios mínimos imprescindibles para cumplir su función.