AWS Lambda
AWS Lambda is the Amazon serverless service. It can integrate with other AWS services, such as AWS IAM for managing permissions to AWS Lambda, Amazon CloudWatch for monitoring AWS Lambda, and Amazon S3 and Amazon EFS for persistent storage.
Configuring IAM
AWS IAM is the supported service for managing permissions to AWS Lambda.
Best practices
Grant minimal IAM permissions for any newly created AWS Lambda function (for running tasks, accessing S3 buckets, monitoring using CloudWatch Events, and so on) – match a specific IAM role to any newly created AWS Lambda function.
Use open source tools such as serverless-puresec-cli to generate IAM roles for your function.
Avoid storing credentials inside AWS Lambda code.
If you need to store sensitive data (such as credentials), use AWS Secrets Manager.
For better protection of your Lamba functions, configure AWS Lambda behind Amazon API Gateway.
For sensitive environments, encrypt Lambda environment variables using CMK management (as explained in Chapter 7, Applying Encryption in Cloud Services).
Use TLS 1.2 to encrypt sensitive data over the network.
Enforce MFA for end users who have access to the AWS API (console, CLI, and SDK) and perform privileged actions such as managing the Lambda service.
Network access to AWS Lambda
AWS Lambda can be deployed either as an external resource outside a VPC or inside a VPC => it is important to plan before deploying each Lambda function.
Best practices
Use Amazon API Gateway to restrict access to your Lambda function, from a specific IP address or CIDR.
If your Lambda function is located outside a VPC, and the Lambda function needs access to resources inside your VPC, use AWS PrivateLink, which avoids sending network traffic outside your VPC, through a secure channel, using an interface VPC endpoint.
If your Lambda function is located inside your VPC, and the Lambda function needs access to external resources on the internet, use the NAT gateway to give your Lambda function the required access, without exposing Lambda to the internet directly.
Use TLS 1.2 to encrypt traffic to and from your Lambda functions.
Conducting auditing and monitoring
AWS allows you to enable auditing using the AWS CloudTrail service.
Best practices
Enable enhanced monitoring of your Lambda functions.
Use Amazon CloudWatch to detect spikes in Lambda usage.
Use AWS CloudTrail to monitor API activities related to your Lambda function.
Conducting compliance, configuration change, and secure coding
As a customer, you cannot control the underlying infrastructure => invest in secure coding to avoid attackers breaking into your application and causing harm that AWS cannot protect.
Best practices
Follow the OWASP Serverless Top 10 project documentation when writing your Lambda function code.
Enable versions in your Lambda functions, to be able to roll back to previous code.
Use AWS Signer to sign your Lambda function code and make sure you only run signed code.
If you use Amazon API Gateway in front of your Lambda functions, use the API Gateway Lambda authoriser as an extra layer of protection for authorizing access to your Lambda functions.
Use AWS Config to check for changes in your Lambda functions.
Use Amazon Inspector assessment templates to detect non-compliance or the use of old versions of a runtime in your Lambda functions.