Gone in 60 milliseconds: Protect your AWS Lambda
More and more businesses are moving from monolithic servers and turning to event-driven microservices powered by cloud function providers like AWS Lambda aka Serverless Computing. So, how can they be hacked if they only exists for 60 milliseconds?
I came across a talk about hacking AWS Lambda which will show novel attack vectors using cloud event sources, exploits in common Serverless patterns and frameworks, abuse of undocumented features in AWS Lambda for persistent malware injection, identifying valuable targets for pilfering, and, of course, how to exfiltrate juicy data out of a secure Virtual Private Cloud.
Even though the talk is about hacking AWS Lambda, it does provide insights on how you can protect your AWS Lambda based on the methods hackers are trying to exploit AWS Lambda.
My takeaways:
- Serverless or not — writing secure code is very important
- Ensure that only required (least) permissions are granted to the IAM role used by your AWS Lambda
- Protect your API Gateway with a key
Add your takeaways in comments.
