Serverless Security: Protecting Functions in the Cloud

Serverless computing has revolutionized the way applications are built and deployed in the cloud. By abstracting away servers, serverless allows developers to focus on writing code without worrying about infrastructure. However, this abstraction of servers also abstracts away security responsibilities and surfaces new security risks.

In this post, we will dive into the unique security challenges that come with serverless architectures and best practices for securing serverless functions and data.

An Introduction to Serverless Security

Before diving into security specifics, let’s quickly recap what serverless computing entails.

Serverless computing refers to cloud services where the cloud provider dynamically provisions the computing resources required to run code. The code is typically run in stateless compute containers that are event-triggered and fully managed by the cloud provider.

Some key characteristics of serverless architectures:

  • No servers to provision or manage – The cloud provider automatically handles resource provisioning and scaling based on usage.
  • Event-driven – Code is executed in response to triggering events such as HTTP requests, database changes, queue messages, file uploads, scheduled tasks, etc.
  • Ephemeral – Compute containers are spun up momentarily to execute code then destroyed once the function finishes. No long-living servers or containers.
  • Pay-per-use pricing – You only pay for the compute resources used to execute your code. No charges when code is not running.

With serverless computing, there are no servers or infrastructure to hardened and secure. While this reduces an organization’s security responsibilities in some ways, serverless introduces new security risks and challenges:

  • Exposure of sensitive credentials that were previously secured on servers.
  • Increased blast radius from a single vulnerability or misconfiguration impacting many functions.
  • Lack of visibility into security events when code is spread across many discrete functions.
  • Difficulty detecting threats and establishing consistent security controls.

To securely build serverless applications, organizations need to re-think traditional security approaches and address these new risks head on.

Securing Serverless Functions

Serverless functions are the key building blocks of serverless architectures. Here are some best practices for securing individual functions:

Use Least Privilege Permissions

Grant functions only the permissions they absolutely need to carry out their task. Avoid using privileged roles or credentials whenever possible. This contains the blast radius if the function is compromised.

For example, if a function only needs read access to a storage bucket, grant read-only permissions rather than full control of the bucket. And avoid using highly privileged credentials (e.g root/admin users) to access other resources like databases.

Set up separate roles and credentials for each type of resource the function needs to access.

Encrypt Secrets and Credentials

Hardcoding secrets like API keys, database passwords, encryption keys directly in function code is very risky. If an attacker gains access to your functions, exposed secrets can lead to disastrous data breaches and account takeovers.

Instead of hardcoding, store secrets in a secure secret manager like AWS Secrets Manager, Azure Key Vault or HashiCorp Vault. Retrieve secrets at runtime through the secret manager’s API.

Encrypt any secrets stored in environment variables. AWS and Azure provide mechanisms to encrypt environment variables automatically.

Use Security Layers Around Functions

While functions themselves may lack advanced security controls, you can build security layers around groups of functions:

  • API Gateways – Front functions with an API gateway to handle authentication, rate limiting, WAF rules, and aggregation of cloud trails/logs.
  • Microsegmentation – Logically isolate functions and infrastructure into security zones with restricted network access between zones. This limits lateral movement.
  • Web Application Firewalls (WAF) – Deploy WAFs to monitor and filter incoming traffic for common attacks like XSS, SQLi, etc.
  • API Keys – Require API keys to invoke functions via HTTP triggers. Rotate keys frequently.

Scan Dependencies and Third Party Code

Be cautious about importing third party libraries/packages into functions. Scan them for known vulnerabilities using tools like npm audit, Snyk, or WhiteSource.

Also carefully evaluate open source code pulled into repositories to avoid supply chain attacks.

Use Automated Scanning Tools

Leverage cloud native and third party tools to continuously monitor functions for security misconfigurations and vulnerabilities:

  • Cloud provider scanning – AWS Inspector, Azure Security Center, Google Cloud Security Command Center.
  • SAST/DAST Testing – Scan function code and HTTP endpoints for vulnerabilities.
  • IAM Access Analyzers – Detect overpermissive IAM roles/policies.
  • Cloud monitors – Tools like Prisma Cloud, Sysdig, and Thundra monitor serverless environments.

Set up alerts and automation workflows to act on scanner findings.

Securing Serverless Data

Data within serverless applications also requires protection:

Encrypt Data In Transit and At Rest

Any data that functions process should be encrypted both while stored and while moving across networks.

For data at rest:

  • Enable default encryption options for cloud data storage services like S3, DynamoDB, and RDS.
  • Encrypt database files.
  • Leverage envelope encryption for data stored in object storage.

For data in transit:

  • Enforce SSL/TLS connections.
  • Encrypt data before it hits the network.

Secure Access with Minimal Permissions

Use IAM policies, resource policies, VPC rules, and firewalls to control which users, roles, services, and networks can access data.

Grant the minimal permissions needed and implement separation of duties.

Add Validation Checks

Functions that process data should validate the structure, length, encoding, and content of payloads. This helps prevent malformed input and detect unexpected payloads early.

Input validation helps functions handle bad data gracefully and prevents vulnerabilities like code injection.

Mask/Redact Sensitive Data

Scrub personal information, financial data, credentials, and any sensitive data from logs and analytics.

Only capture and retain the minimal amount of data required for troubleshooting and monitoring.

This reduces compliance risks and the impact of log and data breaches.

Managing Serverless Security Operationally

Beyond individual functions and data, securing serverless also requires organization-wide policies, processes, and tools:

Create a Serverless Security Strategy

Develop a strategy that identifies your organization’s unique serverless risks, technologies, required controls, and processes to continuously evaluate and improve security.

Engage developers, cloud ops, and security teams to define and support the strategy.

Standardize Security Across Functions

Centrally enforce consistent security policies, frameworks, and controls across all functions. Don’t rely on functions to self-implement security.

Policy areas to standardize: secrets management, IAM permissions, VPCs, WAF rules, CI/CD checks, monitoring/logging, etc.

Monitor Activity in Real-time

Since functions are event-driven, its critical to monitor events and changes in real-time. Send security logs, API calls, user activity, etc. to a SIEM, analytics tools, or monitoring solutions.

Get broad visibility across services and surface suspicious activity quickly for rapid response.

Enable Security Traceability

Trace code, infrastructure, and user changes back to specific developers, CI/CD pipelines, and Cloudtrail events.

Integrate Git commits with issue tracking and Cloudtrail to link code to business events for forensic investigations.

Plan for Incident Response

Outline an incident response plan tailored to serverless architectures. Include threat models for concepts like poisoned dependencies, breached functions, and excessive resource consumption.

Practice isolating and recovering compromised functions rapidly. Know how to enable logging quickly after an incident.

Key Takeaways

Here are some key takeaways for securing serverless applications:

  • Use least privilege permissions and secret isolation techniques.
  • Encrypt sensitive data in transit and at rest.
  • Implement layered security controls like API gateways, microsegmentation, and WAFs.
  • Continuously monitor functions for misconfigurations and vulnerabilities.
  • Create an organization-wide serverless security strategy.
  • Standardize security policies across all functions.
  • Monitor activity in real-time with analytics and SIEM integration.
  • Prepare incident response plans to recover functions quickly.

While serverless computing offloads infrastructure management, organizations retain responsibility for securing code, data, and integrations with other services. Serverless introduces new security dynamics that require teams to rethink how they monitor, defend, and respond to threats in the cloud.

Share your love
Himanshu Mahajan
Himanshu Mahajan
Articles: 33

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

bsod
Dealing with the Latest CrowdStrike BSOD Issue
The Critical Role of Identity and Access Management in Cloud Security
American Family Insurance (AmFam)
American Family Insurance Confirms Cyberattack, Disrupts Services
Creating Your Own Certificate Authority (CA) Using OpenSSL: A Step-by-Step Guide