360-degree view of Lambda Security
AWS Lambda is a serverless, event-driven compute solution that allows you to run code
for almost any form of application or backend service without having to provision or manage
servers. Multiple AWS services and software as a service (SaaS) applications can trigger
Lambda. All we need to do now is give the code, and the service will be up and running. As a
result of these benefits, these days the majority of applications are created on a serverless
architecture; yet,the security of these serverless applications is a concern because the attack
surface is small, less traveled, and yet to be discovered.
Apoorva is an OSCP certified security enthusiast with three years of experience in the field. Her primary areas of expertise are web application pentesting, API pentesting, network security and infrastructure security pentesting. She is currently employed as a Security Engineer at CRED, where she primarily focuses on Application Security and is also a pentester at Cobalt.io. She has been inducted into several Halls of Fame, including RedHat, Rackspace, KFC etc and is also an
active member of Synack Red Team where she finds and reports vulnerabilities to various organizations.
Our research includes investigating secure ways of implementing AWS lambda architecture,
automating the secure code analysis of AWS functions and its mitigations. Since Lambda
supports a large number of runtime languages, developers can use it to create whole backend
functionality while AWS handles the security. The core objective focuses on the flaws that might
occur in lambda code, triggering lambda functions, overly permissive IAM roles, API gateway
concerns, leveraging third-party dependencies, insufficient logging & monitoring and OWASP
Server-less top 10. During our exploration, we also evaluated various open source tools and
were inspired to create our own, which is still in the works. Our tool would run statistical
analysis, SCA (Software Composition Analysis) and also detect lambda related vulnerabilities
such as S3 bucket issues, overly permissive IAM roles, API gateway issues, and detect stale
lambda functions.
To address the points raised above, we have come up with an automated solution that
streamlines the entire process. The solution would utilize the ARN of the lambda function as an
input to map out all of the AWS services it interacts with and identify any misconfigurations
inside the AWS resources. The solution also performs a static code analysis on the lambda's
code base to identify serverless top 10 vulnerabilities as well as native language issues such as
expression language injection, JS injections, RCEs, deserialization vulnerabilities, and so on.
Furthermore, it performs SCA (software composition analysis) to identify vulnerable
dependencies used in the lambda application. The tool's output may then be utilized to create a
robust user interface that shows a complete 360-degree security view of Lambda's in the AWS
architecture.
In conclusion, the presentation will include a brief introduction to AWS lambda, static analysis of
the lambda code & its secure implementation, lambda vulnerabilities (all the services that can
affect the lambda application and OWASP Serverless Top 10) & its mitigations. Finally, the
overall exercise should raise awareness about Lambda and its vulnerabilities, automate Lambda
security to save time and effort, and provide in-depth visibility into Lambda's serverless security.