AWS Lambda Security
Qu'est-ce que AWS Lambda Security ?
AWS Lambda SecurityThe security model and operational hardening of AWS Lambda functions — execution role least-privilege, layer integrity, code-signing, environment-variable secrets, VPC posture, and runtime threats specific to ephemeral compute.
AWS Lambda security combines familiar appsec concerns with serverless-specific risks. Each function ships with an execution IAM role that the function code can assume in-process via STS, so over-broad role policies turn a single vulnerable function into broad cloud access — the leading Lambda finding in cloud audits. Lambda layers and container images introduce a software-supply-chain surface: a malicious or compromised layer is shared across many functions and rarely re-scanned. Environment variables are the default way to inject secrets but are visible in IAM `lambda:GetFunctionConfiguration` and to anyone who can invoke `aws lambda update-function-configuration`; Secrets Manager / Parameter Store references are preferred. VPC-attached Lambdas inherit network posture: a function in a misconfigured subnet can reach internal services it should not. Runtime threats — cryptojacking miners, info-stealers — have appeared but are less common than in EC2 due to short-lived execution. AWS Code Signing and Lambda function URLs added authentication and signed-deployment options in 2022. Defenses include least-privilege execution roles, layer pinning and signing, secrets via Secrets Manager not env vars, dedicated VPC/subnet design, CloudTrail data events for invocation logs, and runtime monitoring (Sysdig, Datadog, AWS GuardDuty Runtime Monitoring for Lambda).
● Exemples
- 01
A function reads secrets from AWS Secrets Manager at cold start, with its execution role limited to one specific secret ARN.
- 02
GuardDuty Runtime Monitoring flags a Lambda function that began making outbound DNS queries to a known mining pool.
● Questions fréquentes
Qu'est-ce que AWS Lambda Security ?
The security model and operational hardening of AWS Lambda functions — execution role least-privilege, layer integrity, code-signing, environment-variable secrets, VPC posture, and runtime threats specific to ephemeral compute. Cette notion relève de la catégorie Sécurité du cloud en cybersécurité.
Que signifie AWS Lambda Security ?
The security model and operational hardening of AWS Lambda functions — execution role least-privilege, layer integrity, code-signing, environment-variable secrets, VPC posture, and runtime threats specific to ephemeral compute.
Comment fonctionne AWS Lambda Security ?
AWS Lambda security combines familiar appsec concerns with serverless-specific risks. Each function ships with an execution IAM role that the function code can assume in-process via STS, so over-broad role policies turn a single vulnerable function into broad cloud access — the leading Lambda finding in cloud audits. Lambda layers and container images introduce a software-supply-chain surface: a malicious or compromised layer is shared across many functions and rarely re-scanned. Environment variables are the default way to inject secrets but are visible in IAM `lambda:GetFunctionConfiguration` and to anyone who can invoke `aws lambda update-function-configuration`; Secrets Manager / Parameter Store references are preferred. VPC-attached Lambdas inherit network posture: a function in a misconfigured subnet can reach internal services it should not. Runtime threats — cryptojacking miners, info-stealers — have appeared but are less common than in EC2 due to short-lived execution. AWS Code Signing and Lambda function URLs added authentication and signed-deployment options in 2022. Defenses include least-privilege execution roles, layer pinning and signing, secrets via Secrets Manager not env vars, dedicated VPC/subnet design, CloudTrail data events for invocation logs, and runtime monitoring (Sysdig, Datadog, AWS GuardDuty Runtime Monitoring for Lambda).
Comment se défendre contre AWS Lambda Security ?
Les défenses contre AWS Lambda Security combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.
Quels sont les autres noms de AWS Lambda Security ?
Noms alternatifs courants : Serverless security (Lambda), Lambda hardening.
● Termes liés
- cloud-security№ 1122
Sécurité serverless
Pratiques de sécurité pour les workloads orientés événements et fonctions (AWS Lambda, Azure Functions, Google Cloud Functions) où les serveurs sous-jacents sont gérés par le fournisseur.
- cloud-security№ 486
Fonction en tant que Service (FaaS)
Modèle cloud serverless où des fonctions éphémères s'exécutent à la demande en réponse à des événements, le fournisseur gérant serveurs, mise à l'échelle et runtime.
- cloud-security№ 561
Mauvaise configuration IAM (cloud)
Paramètres IAM cloud non sécurisés ou trop permissifs qui permettent à des utilisateurs, rôles ou services d'effectuer plus d'actions qu'ils n'en ont réellement besoin.
- cloud-security№ 212
Vol de tokens cloud
Vol de tokens OAuth, SAML ou de signature aupres d'un service d'identite cloud et rejeu pour usurper utilisateurs ou services sans avoir besoin de mots de passe.
- appsec№ 512
Secrets codés en dur dans le code
Insertion d'identifiants, clés API, jetons ou matériel cryptographique directement dans le code source, des fichiers de configuration ou des images conteneurs, où ils sont aisément découverts et abusés.
- identity-access№ 955
Principe du moindre privilège
Principe de sécurité accordant à chaque utilisateur, processus ou service uniquement les privilèges strictement nécessaires à sa fonction, et rien de plus.