While serverless functions are becoming more and more popular with cloud-native application developments, we've also started seeing security challenges that come with the hype. Serverless applications are at risk of OWASP top ten application attacks. Even when serverless applications are running without a managed server, they will still execute code. If the code is written in a manner that doesn't follow security best practices, or if the function is using excessive permissions, they can be vulnerable to a wide range of security attacks.
Unlike traditional applications, Lambda functions can be triggered by a number of things including AWS services. They can be triggered by events such as files being uploaded to a S3 bucket. They can even be triggered by an email or SMS. A Lambda function with command injection vulnerability will allow an attacker to pass malicious payload which can steal the source code for further attacks - among other things. If the IAM role being used by a Lambda function has excessive permissions, the attacker can use the IAM role to scan and interact with other AWS services such as DynamoDB, etc. Ultimately, they can perform unauthorized and malicous actions such as delete and insert records. Now, these change the way we look at securing a miroservice such as a Lambda function in a cloud native application.
In this tutorial, I'll do a step-by-step walk-through of deploying CloudGuard workload protection a simple serverless Lambda function, and integrating with your CICD pipeline. CloudGuard workload protection can assess your Lambda code for vulnerabilities and embedded sensitive credentials, excessive permissions being used by functions, and enable active protection & workload firewall for your serverless workloads. When integrated with CICD pipeline, CloudGuard can continuously protect your serverless application for every new release.
Check out my original Github tutorial here. https://github.com/jaydenaung/CloudGuard-Serverless-CICD-CodePipeline
Best,
Jayden Kyaw Htet Aung