Skip to content

Lambda layers of defense

DRAFT: Methods, Ideas, Practices to improve your Lambda's security / reliability

You are responsible for maintaining control over your content that is hosted on this infrastructure.

Event Sources

Synch flow (API GW, AppSync)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:region:account-id:*"
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:region:account-id:*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "123.4.5.6/24"
                }
            }
        }
    ]
}
  • Event source can be linked to a waf (AWS Shield, AWS WAF) or cdn (CloudFront)

  • Event source can add usage limits and throttling per api client per endpoint

  • Event source can include request validation

flowchart LR
    Client <--> id1(Event Source) <--> id2(Lambda Service) <--> id3(Lambda Function) <--> id4(Down Stream)

Asynch flow (S3, EventBridge)

  • Event source can do batching
  • Event source can have filtering
flowchart LR
    Client --> id1(Event Source) --> id5(Requests) <--> id2(Lambda Service) <--> id3(Lambda Function) <--> id4(Down Stream)

Asynch flow (Dynamodb)

  • Updates can be filtered
  • Updates can be sent to EventBridge to further filtering
flowchart LR
    Client --> id1(Event Source) --> id5(Changes) <--> id2(Lambda Service) <--> id3(Lambda Function) <--> id4(Down Stream)

Ideas to be documented

  • Data protection in AWS Lambda

    • Encryption in transit - Lambda API endpoints only support secure connections over HTTPS.
    • Encryption at rest - On a per-function basis, you can configure Lambda to use a customer managed key to encrypt your environment variables. Conterary to the AWS docs, i would not recommended using environments variables for secrets, but rather secret manager (or parameter store). Lambda always encrypts files that you upload to Lambda, including deployment packages and layer archives. Amazon CloudWatch Logs and AWS X-Ray also encrypt data by default.
  • "Identity and access management for Lambda" - least priviledge

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExampleSourceFunctionArn",
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::lambda_bucket/*",
            "Condition": {
                "ArnEquals": {
                    "lambda:SourceFunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:source_lambda"
                }
            }
        }
    ]
}
{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "nodejs-apig-functiongetEndpointPermissionProd-BWDBXMPLXE2F",
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-2:111122223333:function:nodejs-apig-function-1G3MXMPLXVXYI",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "111122223333"
        },
        "ArnLike": {
          "aws:SourceArn": "arn:aws:execute-api:us-east-2:111122223333:ktyvxmpls1/prodStage/GET/image"
        }
      }
    }
  ]
}

Resources


Last update: 2022-09-13