AWS Lambda Security Controls
A set of security controls designed to secure AWS Lambda functions, ensuring unauthorized access prevention and data integrity.
| Category | Serverless Security |
|---|---|
| This page updated | 30 days ago |
| Pricing Details | Pricing varies based on usage and AWS services utilized. |
| Target Audience | AWS developers, security architects, and compliance officers. |
When securing AWS Lambda functions, one of the core security challenges is ensuring that these serverless compute resources are configured to prevent unauthorized access and maintain data integrity. AWS Security Hub plays a crucial role in addressing these challenges through its set of controls specifically designed for Lambda.
The technical architecture of these controls involves integrating with AWS Config rules to enforce security best practices. For instance, the lambda-function-public-access-prohibited control ensures that Lambda function resource-based policies do not allow public access outside of the account, preventing unintended access to function code. Another control, lambda-inside-vpc, verifies that Lambda functions are deployed within a virtual private cloud (VPC), enhancing network security and control over configurations. This control also checks for multi-Availability Zone (AZ) deployment to ensure high availability and fault tolerance.
Operational considerations include the need to customize VPC deployments to meet specific application requirements and ensuring that Lambda functions are tagged appropriately for inventory and compliance purposes. The tagged-lambda-function control, for example, checks if Lambda functions have the required tags, which is essential for resource management and auditing.
From a technical standpoint, these controls operate on a change-triggered schedule, meaning they evaluate the Lambda functions whenever changes are made. The use of SSL/TLS for all communications with Lambda API endpoints ensures encryption in transit, and environment variables can be protected using client-side encryption helpers.
However, there are limitations to consider. For instance, the lambda-inside-vpc control does not evaluate VPC subnet routing configurations, which might lead to false positives for Lambda@Edge resources. Additionally, the effectiveness of these controls can be impacted by the complexity of the VPC configurations and the number of Availability Zones specified.
In summary, AWS Security Hub controls for Lambda functions provide a robust framework for ensuring the security and compliance of these resources. By leveraging these controls, you can enforce best practices such as private access, VPC deployment, and proper tagging, while also considering the operational nuances and limitations inherent in these configurations.