Security

The most important foundational concept of security when operating in the AWS Cloud is the shared responsibility model. This broadly shares security responsibilities between AWS and our customers. AWS is responsible for "security of the cloud", such as the underlying physical infrastructure and facilities providing the services. Customers are responsible for "security in the cloud", which includes applying security best practices, controlling access, and taking measures to protect data.

One of the main reasons for the popularity of Lambda-based applications is that AWS manages even more of the security operations compared with traditional cloud-based compute. For example, Lambda customers using zip file deployments do not need to patch underlying operating systems or apply security patches – these tasks are managed automatically by the Lambda service.

Topics

• Understanding the Lambda execution environment
• Applying the principles of least privilege
• Securing workloads with public endpoints
• Encrypting data in Lambda-based applications
• Governance controls with AWS CloudTrail
• Frequently asked questions

This chapter covers:

• The Lambda execution environment and mechanisms used by the service to protect customer data.

• Applying the principles of least privilege to your workload, and what this means in terms of permissions and scoping functions

• Securing workloads with public endpoints and implementing authentication and authorization.

• Using AWS CloudTrail for governance, compliance and operational auditing of Lambda usage.