Aqua Serverless Security

Aqua's serverless security solution addresses the core challenge of securing serverless functions without compromising their performance or increasing costs. The technical architecture revolves around the Aqua NanoEnforcer, a lightweight, performance-optimized component designed specifically for serverless environments like AWS Lambda.

The NanoEnforcer is added to serverless functions as a Lambda Layer, requiring no modifications to the function code or its runtime. This approach ensures that the security controls do not introduce significant latency or memory overhead, with an impact on function invocation time kept below 3ms and memory usage under 2Mb.

Operationally, Aqua's solution integrates into CI/CD pipelines using native plugins for tools like Jenkins, Bamboo, and Azure DevOps. This allows for early detection of vulnerabilities, unencrypted sensitive data, and excessive permissions, enabling developers to address these issues before the functions are deployed.

Key controls include preventative measures such as scanning for vulnerable packages and dependencies, detecting unencrypted sensitive data, and enforcing least-privilege roles. At runtime, the NanoEnforcer blocks code injection attempts, detects unauthorized executables, and identifies indications of compromise (IoCs) using embedded honeypots. These measures are designed to be deterministic, eliminating false positive alerts and minimizing the risk to user environments.

However, there are operational considerations, such as the need to manage and update the NanoEnforcer layers across multiple functions and environments. Additionally, while the solution is highly optimized, it still requires careful configuration to ensure that the security policies align with the specific needs of each function, balancing security with performance and cost efficiency.