Security Overview of AWS Lambda
Publication date: December 27, 2022 (Document revisions)
Abstract
This whitepaper presents a deep dive of the
AWS Lambda service through a security lens. It provides a
well-rounded picture of the service, which is useful for new
adopters, and deepens understanding of Lambda for current users.
This whitepaper is intended for Chief Information Security Officers
(CISOs), information security engineers, enterprise architects,
compliance teams, and any others interested in understanding the
underpinnings of AWS Lambda.
Are you Well-Architected?
The
AWS Well-Architected Framework helps you understand the pros
and cons of the decisions you make when building systems in the
cloud. The six pillars of the Framework allow you to learn
architectural best practices for designing and operating reliable,
secure, efficient, cost-effective, and sustainable systems. Using
the
AWS Well-Architected Tool, available at no charge in the
AWS Management Console, you can review your workloads against
these best practices by answering a set of questions for each
pillar.
For more expert guidance and best practices for your cloud
architecture—reference architecture deployments, diagrams, and
whitepapers—refer to the
AWS Architecture Center.
Introduction
AWS Lambda is an event-driven,
serverless
compute service that extends other AWS services with custom
logic, or creates other backend services that operate with scale,
performance, and security. Lambda can automatically run code in
response to multiple events, such as HTTP requests through
Amazon API Gateway or
function
URL, modifications to objects in
Amazon Simple Storage Service (Amazon S3) buckets, table updates in
Amazon DynamoDB, messages in
Amazon Simple Queue Service (Amazon SQS) notifications in
Amazon Simple Notification Service (Amazon SNS), streaming data in
Amazon Kinesis, events or logs in
Amazon CloudWatch, events in
Amazon EventBridge and state transitions in
AWS Step Functions. You can also run code directly from any web or
mobile app. Lambda runs code on a highly available compute
infrastructure and performs all the administration of the
underlying platform, including server and operating system
maintenance, capacity provisioning and automatic scaling,
patching, code monitoring, and logging.
With Lambda, you can just upload your code and configure when to
invoke it; Lambda takes care of everything else required to run
your code with high availability. Lambda integrates with many
other AWS services and enables you to create serverless
applications or backend services, ranging from periodically
initiated, simple automation tasks to full-fledged microservices
applications.
Lambda can also be configured to access resources within your
Amazon Virtual Private Cloud, and by extension, your on-premises
resources.
You can easily wrap up Lambda with a strong security posture using
AWS Identity and Access Management (IAM), and other techniques discussed in
this whitepaper to maintain a high level of security and auditing,
and to meet your compliance needs.
The
managed
runtime environment model enables Lambda to manage much of
the implementation details of running serverless workloads. This
model further reduces the attack surface while making cloud
security simpler. This whitepaper presents the underpinnings of
that model, along with best practices, to developers, security
analysts, security and compliance teams, and other stakeholders.