Serverless Security risks and how to mitigate them

Whether we are building a simple to-do list or a complex online banking platform, the security aspect of the application should always be one of our priorities. We should never deploy our application to the production, hoping it will not get hacked. The moment we start drafting our initial plans for the software, we should keep a space for the security measurements. This basic principle will remain the same regardless of what we build, how we build it, where we deploy it or who uses it. Being said that the burden of the security risks may vary according to the approaches we take when we develop our applications. In this article, we will discuss what are the changes Serverless Applications bring to the security equation.

Shared Responsibility Model in Severless Computing.

Many traditional application security concerns are lifted from the developer when moving to serverless computing because most of the responsibilities are transferred to the cloud provider.


Serverless Security


But still, we are responsible for running the code in the cloud platform and there lies a huge part of the security concerns. The distributed nature of Serverless Architecture gives more exposure and more opportunities for attackers. Starting from the way we architect our software to the way we configure and deploy it, will lead the application we build to a secure and robust product.

Where we should keep our eye on?

Event Injection:

Not only in serverless computing applications but also in general, we have to validate inputs before it passes directly to an interpreter.

A serverless function can have multiple event sources, which means there are different types of events such as HTTP API calls, DB events, S3 events, Stream processing events, etc. which can trigger a serverless function. We must evaluate our serverless functions against possible dangerous inputs to keep them from behaving in a way they are not intended to.

Over-privileged function permissions and roles:

This is a very high-security risk, which can be eliminated without much hassle. We have to be very precise when we are granting access permissions to the serverless function. Instead of granting all privileges to a serverless function, we should only grant the bare minimum set of privileges that is adequate to perform its intended task.

For example, a function which is supposed to fetch objects from S3 should not have write access to objects in the S3 Bucket. So when you are granting permissions to your function, you have to carefully analyze the intended task of the function and find out the required permissions. If you are using an IDE like Sigma for your Serverless deployments, it will automatically do this for you.

Insufficient logging and monitoring:

For any application, it is vital to have a good monitoring system and a descriptive logging mechanism. We don’t want to end up with a broken application without having a clue on what went wrong or a large AWS bill not knowing what are the causes.

For a serverless application, this aspect is still a bit challenging. We might need to adopt a serverless-native observability and monitoring solution or rely on 3rd party systems for a better monitoring solution. At the same time, it is important that we put all the support services AWS has to offer like AWS X-Ray, Amazon CloudWatch, AWS CloudTrail into effective use for better logging and monitoring outcomes.

Identifying vulnerabilities and risks:

Assessing vulnerabilities and risks in a serverless application are challenging compared to a traditional application as most existing security tools only focus on traditional applications. Serverless application developers have to utilize all the resources they have in their hands to make sure the application is hacker-proof and vulnerabilities are identified from time to time and fixed. But with the huge convert from traditional to Serverless computing, more sophisticated tools will be available to cater to these needs that serverless Application builders face today.

And there are more:

Including the above-mentioned vulnerabilities, you can find the detailed report on serverless application security risks and how to prevent them on here. I highly recommend to go through this article as it covers in depth analysis of Serverless security risks.

Final thoughts:

Shifting from traditional computing to Serverless computing needs a change in the way we think. We often consider benefits like low cost / easy scaling as the reasons one must move to the cloud. But it is important that we identify the risks and pay enough attention to the security aspects as well to serve better products to customers.