AWS Lambda Security
O que é AWS Lambda Security?
AWS Lambda SecurityThe security model and operational hardening of AWS Lambda functions — execution role least-privilege, layer integrity, code-signing, environment-variable secrets, VPC posture, and runtime threats specific to ephemeral compute.
AWS Lambda security combines familiar appsec concerns with serverless-specific risks. Each function ships with an execution IAM role that the function code can assume in-process via STS, so over-broad role policies turn a single vulnerable function into broad cloud access — the leading Lambda finding in cloud audits. Lambda layers and container images introduce a software-supply-chain surface: a malicious or compromised layer is shared across many functions and rarely re-scanned. Environment variables are the default way to inject secrets but are visible in IAM `lambda:GetFunctionConfiguration` and to anyone who can invoke `aws lambda update-function-configuration`; Secrets Manager / Parameter Store references are preferred. VPC-attached Lambdas inherit network posture: a function in a misconfigured subnet can reach internal services it should not. Runtime threats — cryptojacking miners, info-stealers — have appeared but are less common than in EC2 due to short-lived execution. AWS Code Signing and Lambda function URLs added authentication and signed-deployment options in 2022. Defenses include least-privilege execution roles, layer pinning and signing, secrets via Secrets Manager not env vars, dedicated VPC/subnet design, CloudTrail data events for invocation logs, and runtime monitoring (Sysdig, Datadog, AWS GuardDuty Runtime Monitoring for Lambda).
● Exemplos
- 01
A function reads secrets from AWS Secrets Manager at cold start, with its execution role limited to one specific secret ARN.
- 02
GuardDuty Runtime Monitoring flags a Lambda function that began making outbound DNS queries to a known mining pool.
● Perguntas frequentes
O que é AWS Lambda Security?
The security model and operational hardening of AWS Lambda functions — execution role least-privilege, layer integrity, code-signing, environment-variable secrets, VPC posture, and runtime threats specific to ephemeral compute. Pertence à categoria Segurança em nuvem da cibersegurança.
O que significa AWS Lambda Security?
The security model and operational hardening of AWS Lambda functions — execution role least-privilege, layer integrity, code-signing, environment-variable secrets, VPC posture, and runtime threats specific to ephemeral compute.
Como funciona AWS Lambda Security?
AWS Lambda security combines familiar appsec concerns with serverless-specific risks. Each function ships with an execution IAM role that the function code can assume in-process via STS, so over-broad role policies turn a single vulnerable function into broad cloud access — the leading Lambda finding in cloud audits. Lambda layers and container images introduce a software-supply-chain surface: a malicious or compromised layer is shared across many functions and rarely re-scanned. Environment variables are the default way to inject secrets but are visible in IAM `lambda:GetFunctionConfiguration` and to anyone who can invoke `aws lambda update-function-configuration`; Secrets Manager / Parameter Store references are preferred. VPC-attached Lambdas inherit network posture: a function in a misconfigured subnet can reach internal services it should not. Runtime threats — cryptojacking miners, info-stealers — have appeared but are less common than in EC2 due to short-lived execution. AWS Code Signing and Lambda function URLs added authentication and signed-deployment options in 2022. Defenses include least-privilege execution roles, layer pinning and signing, secrets via Secrets Manager not env vars, dedicated VPC/subnet design, CloudTrail data events for invocation logs, and runtime monitoring (Sysdig, Datadog, AWS GuardDuty Runtime Monitoring for Lambda).
Como se defender contra AWS Lambda Security?
As defesas contra AWS Lambda Security costumam combinar controles técnicos e práticas operacionais, conforme detalhado na definição acima.
Quais são outros nomes para AWS Lambda Security?
Nomes alternativos comuns: Serverless security (Lambda), Lambda hardening.
● Termos relacionados
- cloud-security№ 1122
Segurança serverless
Prática de proteger cargas baseadas em eventos e funções, como AWS Lambda, Azure Functions e Google Cloud Functions, em que os servidores subjacentes são geridos pelo fornecedor.
- cloud-security№ 486
Função como Serviço (FaaS)
Modelo cloud serverless em que funções efémeras correm sob procura em resposta a eventos, com o fornecedor a gerir servidores, escala e runtime.
- cloud-security№ 561
Má configuração de IAM (cloud)
Definições de IAM na cloud inseguras ou demasiado permissivas que permitem a utilizadores, papéis ou serviços executar mais ações do que realmente precisam.
- cloud-security№ 212
Roubo de tokens na nuvem
Roubo de tokens OAuth, SAML ou de assinatura a um servico de identidade cloud e respetiva repeticao para se fazer passar por utilizadores ou servicos sem senhas.
- appsec№ 512
Segredos hardcoded no código
Inclusão de credenciais, chaves de API, tokens ou material criptográfico diretamente no código-fonte, ficheiros de configuração ou imagens de contentor, onde são facilmente descobertos e abusados.
- identity-access№ 955
Princípio do menor privilégio
Princípio de segurança que concede a cada utilizador, processo ou serviço apenas os privilégios estritamente necessários para desempenhar a sua função.