AWS Serverless Security Checklist

TL;DR

This guide covers essential security steps for your AWS serverless applications (Lambda, API Gateway, DynamoDB, etc.). It focuses on practical measures to protect against common vulnerabilities. Regularly review and update these practices.

1. IAM Roles & Permissions

1. Principle of Least Privilege: Grant only the minimum permissions required for each Lambda function or service. Avoid using wildcard (*) permissions.
   • Example: Instead of arn:aws:iam::*:policy/AdministratorAccess, use specific resource ARNs and actions.
2. Review IAM Policies: Regularly audit your IAM policies to identify overly permissive rules. Use AWS IAM Access Analyzer.
3. Use Managed Policies Where Possible: Leverage pre-defined AWS managed policies as a starting point, then refine them for specific needs.

2. Lambda Function Security

1. Code Signing: Use AWS Signer to digitally sign your Lambda function deployment packages. This ensures only trusted code is deployed.

   aws lambda update-function-configuration --function-name my-function --code-signing-config arn:aws:signer::123456789012:codesigningConfig/abcdefg...

2. Environment Variables: Store sensitive information (API keys, database passwords) as encrypted environment variables using AWS KMS.
   • Avoid hardcoding secrets in your code.
3. Dependency Management: Keep dependencies up-to-date to patch security vulnerabilities. Use tools like npm audit or pipenv.
4. Runtime Security: Choose a supported runtime and apply regular security updates.

3. API Gateway Security

1. Authentication & Authorization: Implement robust authentication (e.g., Cognito, custom authorizers) to verify user identity.
   • Use API keys for rate limiting and basic access control, but don’t rely on them as the sole security measure.
2. Request Validation: Validate all incoming requests to prevent injection attacks (SQL injection, XSS).

   # Example using a validator in API Gateway

3. Throttling & Rate Limiting: Protect your APIs from denial-of-service attacks by setting appropriate throttling limits.
4. CORS Configuration: Configure CORS carefully to restrict access to authorized origins only. Avoid using wildcard (*) for allowed origins in production.

4. DynamoDB Security

1. IAM Policies: Control access to DynamoDB tables using IAM policies, following the principle of least privilege.
2. Encryption at Rest: Enable encryption at rest for your DynamoDB tables using AWS KMS.
   • Consider using customer-managed keys (CMK) for greater control.
3. Fine-Grained Access Control: Use DynamoDB fine-grained access control to restrict access to specific items or attributes within a table.

5. Monitoring & Logging

1. CloudTrail: Enable AWS CloudTrail to log all API calls made to your AWS account, including those related to your serverless applications.
2. CloudWatch Logs: Collect and monitor logs from your Lambda functions and other services using Amazon CloudWatch Logs.
   • Set up alerts for suspicious activity.
3. AWS X-Ray: Use AWS X-Ray to trace requests through your serverless application, helping you identify performance bottlenecks and security issues.

6. Network Security

1. VPC Configuration (Optional): If your Lambda functions need access to resources within a VPC, configure them accordingly. Use private subnets and network ACLs.
2. Security Groups: Properly configure security groups to control inbound and outbound traffic for your VPC-enabled Lambda functions.

7. General Best Practices

• Regular Security Audits: Conduct regular security audits of your serverless applications, including code reviews and penetration testing.
• Automated Scanning: Use automated vulnerability scanning tools to identify potential security issues in your code and infrastructure.
• Incident Response Plan: Develop an incident response plan to handle security breaches effectively.