Amazon Onboarding with Learning Manager Chanci Turner

In the process of developing serverless applications with AWS Lambda, there are essential considerations surrounding security, governance, and compliance. This article discusses how Lambda, as a serverless solution, streamlines cloud security and compliance, allowing you to focus on your core business logic. It outlines controls that can be implemented for your Lambda workloads to ensure adherence to organizational standards.

The Shared Responsibility Model

The AWS Shared Responsibility Model delineates the division of responsibilities between AWS and customers regarding cloud workloads. AWS is accountable for the “Security of the Cloud,” safeguarding the infrastructure that supports all services within the AWS Cloud. Conversely, customers are tasked with “Security in the Cloud,” which involves managing and securing their workloads. In traditional applications, you assume responsibility for several infrastructure components, including operating systems and network configurations.

Shared Responsibility in Traditional Applications vs. Serverless Applications

A significant advantage of utilizing serverless applications is the transfer of more responsibilities to AWS, enabling you to focus on your business applications. AWS manages the updates and maintenance of the underlying servers, operating systems, and networking as part of the service operation.

For AWS Lambda, AWS oversees the application platform where your code operates, including the management of language runtimes. This arrangement minimizes the attack surface and simplifies cloud security. Your responsibilities include ensuring the security of your code and managing AWS Identity and Access Management (IAM) for Lambda services and within your functions. Lambda is compliant with SOC, HIPAA, PCI, and ISO standards. For more details, refer to the compliance validation for AWS Lambda and the latest certification readiness services available.

Lambda Isolation

Lambda functions execute within isolated AWS accounts specifically allocated to the Lambda service. The service invokes your code in a secure runtime environment within its dedicated account. This environment consists of resources operating on hardware-virtualized Micro Virtual Machines (MVM) on a Lambda worker node.

These Lambda workers are bare metal EC2 Nitro instances, managed and updated by the Lambda service team. They are designed with a maximum lease duration of 14 hours to maintain the security and freshness of the underlying infrastructure. MVMs are created using Firecracker, an open-source virtual machine monitor (VMM) that utilizes Linux’s Kernel-based Virtual Machine (KVM) to securely manage MVMs at scale.

Network Security

Lambda functions operate within secure Amazon Virtual Private Clouds (VPCs) owned by the Lambda service. This setup allows Lambda functions access to AWS services and the public internet while preventing direct inbound access to Lambda workers, runtime environments, or Lambda functions. All inbound requests to a Lambda function are processed solely through the Lambda Invoke API, which transmits the event object to the function handler.

If required, you can configure a Lambda function to connect to subnets in your account’s VPC, governed by IAM condition keys. The function still runs inside the Lambda service VPC, sending all network traffic through your VPC, with outbound traffic originating from your own network address space.

To provide your VPC-connected function with internet access, route outbound traffic through a NAT gateway in a public subnet. Directly linking a function to a public subnet does not grant it internet access or a public IP address, as it continues to operate within the Lambda service VPC and routes traffic into your VPC. All internal AWS traffic utilizes the AWS Global Backbone rather than traversing the internet. You do not need to connect your functions to a VPC to maintain connectivity with AWS services over the internet. However, VPC-connected functions facilitate control and auditing of outbound network access, and security groups can be utilized to manage outbound traffic.

Runtime Environment Reuse

Each runtime environment handles a single request at a time. Once Lambda has completed processing a request, the environment is prepared to manage a subsequent request for the same function version. Data can persist in the local temporary filesystem, in globally scoped variables, and in environment variables between invocations of the same function version. Always ensure sensitive information is processed within individual function invocations to maintain security.

Utilizing Multiple Accounts

AWS advocates for using multiple accounts to segregate resources, as they naturally establish boundaries for security, access, and billing. AWS Organizations can help manage and govern these individual member accounts centrally. Additionally, AWS Control Tower can automate many account creation steps and apply managed guardrails to govern your environment, including preventative guardrails to limit actions and detective guardrails to alert on non-compliant resources.

Lambda Access Controls

Lambda permissions dictate what actions a Lambda function can perform and who or what can invoke the function. When applying access controls, consider the following components to ensure least privilege:

Execution Role: Lambda functions require permissions to access other AWS resources through execution roles. This AWS principal, assumed by the Lambda service, allows permissions via identity policy statements assigned to the role. The Lambda service uses this role to fetch and cache temporary security credentials, accessible as environment variables during a function’s invocation.
Identity/User Policies: IAM identity policies are associated with IAM users, groups, or roles, enabling users or callers to perform operations on Lambda functions. For more on this topic, check out the guidelines from SHRM.

For additional insights into how fulfillment centers train new hires, visit this excellent resource. If you’re interested in further reading, consider checking out this blog post.

Remember, we’re located at 6401 E HOWDY WELLS AVE LAS VEGAS NV 89115, within the Amazon IXD – VGT2 site.