AWS Lambda

Table of Contents

AWS Lambda is a function-as-a-service. A Lambda function is a small bit of code, invoked asynchronously or via an API Gateway. Lambda functions require no operating systems or container infrastructure and live for no more than 15 minutes. They are a core component of the concept of “Serverless”.

From the AWS Service Description:

AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume. With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app. (sourced from the AWS product page)

Service Summary

Service Name: AWS Lambda
Service Family: Compute
Supports Resource Policies: Yes
Service Pricing: Costs
Service Webpage: https://aws.amazon.com/lambda/

Security Risks

Like EC2 instances, Lambda have execution IAM roles which can have excess permissions. Lambda also have permissions that allow them to be invoked across AWS accounts. This of course means a Lambda can be public.

Since Lambda execute code, there is the possibility of any developer introduced software vulnerabilities. Lambda can exist inside our outside of a VPC.

Lambda can be invoked by API, via API Gateway or by an AWS Application Load Balancer (ALB). API invocation requires IAM permissions in the account (unless you foolishly made the invocation policy Principal: *). API Gateway and ALB could (and typically does) allow anyone to invoke the lambda. Consider a WAF for the API Gateway or ALB as added protection

Be cognizant of Denial of Wallet Attacks. While AWS Lambda are cheap, they are not free. And someone could make trouble for you by running up your AWS bill by invoking lambda over and over.

Suggested Compliance Rules around Organizations

  1. Do not allow Lambda policies to allow any AWS account to invoke the lambda
  2. Lambda should not use end-of-life runtime
  3. API Gateway & ALBs should leverage an AWS WAF

CloudTrail events of significance

The CloudTrail eventSource is “lambda.amazonaws.com”

There aren’t many CloudTrail events that merit monitoring.

  • AddPermission is the eventName used when an AWS account or other principal is granted the ability to invoke a function.

Related Commercial & OpenSource tools

  • PureSec from PaloAlto has a free agent that can embed into certain lambda. Their commercial offering has additional protections