AWS Lambda Security.

The security model and operational hardening of AWS Lambda functions — execution role least-privilege, layer integrity, code-signing, environment-variable secrets, VPC posture, and runtime threats specific to ephemeral compute. サイバーセキュリティの クラウドセキュリティ カテゴリに属します。

The security model and operational hardening of AWS Lambda functions — execution role least-privilege, layer integrity, code-signing, environment-variable secrets, VPC posture, and runtime threats specific to ephemeral compute.

AWS Lambda security combines familiar appsec concerns with serverless-specific risks. Each function ships with an execution IAM role that the function code can assume in-process via STS, so over-broad role policies turn a single vulnerable function into broad cloud access — the leading Lambda finding in cloud audits. Lambda layers and container images introduce a software-supply-chain surface: a malicious or compromised layer is shared across many functions and rarely re-scanned. Environment variables are the default way to inject secrets but are visible in IAM `lambda:GetFunctionConfiguration` and to anyone who can invoke `aws lambda update-function-configuration`; Secrets Manager / Parameter Store references are preferred. VPC-attached Lambdas inherit network posture: a function in a misconfigured subnet can reach internal services it should not. Runtime threats — cryptojacking miners, info-stealers — have appeared but are less common than in EC2 due to short-lived execution. AWS Code Signing and Lambda function URLs added authentication and signed-deployment options in 2022. Defenses include least-privilege execution roles, layer pinning and signing, secrets via Secrets Manager not env vars, dedicated VPC/subnet design, CloudTrail data events for invocation logs, and runtime monitoring (Sysdig, Datadog, AWS GuardDuty Runtime Monitoring for Lambda).

AWS Lambda Security に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

一般的な別名: Serverless security (Lambda), Lambda hardening。