Abstract Are you Well-Architected? Introduction

Security Overview of AWS Lambda

Publication date: December 27, 2022 (Document revisions)

Abstract

This whitepaper presents a deep dive of the AWS Lambda service through a security lens. It provides a well-rounded picture of the service, which is useful for new adopters, and deepens understanding of Lambda for current users.

This whitepaper is intended for Chief Information Security Oﬃcers (CISOs), information security engineers, enterprise architects, compliance teams, and any others interested in understanding the underpinnings of AWS Lambda.

Are you Well-Architected?

The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.

For more expert guidance and best practices for your cloud architecture—reference architecture deployments, diagrams, and whitepapers—refer to the AWS Architecture Center.

Introduction

AWS Lambda is an event-driven, serverless compute service that extends other AWS services with custom logic, or creates other backend services that operate with scale, performance, and security. Lambda can automatically run code in response to multiple events, such as HTTP requests through Amazon API Gateway or function URL, modiﬁcations to objects in Amazon Simple Storage Service (Amazon S3) buckets, table updates in Amazon DynamoDB, messages in Amazon Simple Queue Service (Amazon SQS) notifications in Amazon Simple Notification Service (Amazon SNS), streaming data in Amazon Kinesis, events or logs in Amazon CloudWatch, events in Amazon EventBridge and state transitions in AWS Step Functions. You can also run code directly from any web or mobile app. Lambda runs code on a highly available compute infrastructure and performs all the administration of the underlying platform, including server and operating system maintenance, capacity provisioning and automatic scaling, patching, code monitoring, and logging.

With Lambda, you can just upload your code and conﬁgure when to invoke it; Lambda takes care of everything else required to run your code with high availability. Lambda integrates with many other AWS services and enables you to create serverless applications or backend services, ranging from periodically initiated, simple automation tasks to full-ﬂedged microservices applications.

Lambda can also be conﬁgured to access resources within your Amazon Virtual Private Cloud, and by extension, your on-premises resources.

You can easily wrap up Lambda with a strong security posture using AWS Identity and Access Management (IAM), and other techniques discussed in this whitepaper to maintain a high level of security and auditing, and to meet your compliance needs.

The managed runtime environment model enables Lambda to manage much of the implementation details of running serverless workloads. This model further reduces the attack surface while making cloud security simpler. This whitepaper presents the underpinnings of that model, along with best practices, to developers, security analysts, security and compliance teams, and other stakeholders.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Benefits of Lambda