Every couple years I find myself needing to brush up on the risks and threat model of AWS Lambda.
This is an index of security considerations. It excludes web application risks like authentication and authorization. It focuses on attack vectors, and as a result skips CI/CD concerns like the risks of Lambda Layers.
Attackers targeting a Lambda can:
- backdoor it, given RCE
- retrieve the source, given RCE
- retrieve environment variables, given a file read vulnerability or SSRF (with the
file:protocol). This includes IAM credentials for the Lambda and event data.
- given permission to invoke the function, view its logs
- generate a fork bomb
- abuse a low concurrency limit by causing a DoS
- abuse a high concurrency limit by causing a Denial of Wallet attack
- cause a DoS by exhausting disk capacity (i.e
- cause a DoS by exhausting API limits
- monetize an RCE via cryptomining (note: there is a GuardDuty detection, but it will not function if the Lambda is not attached to a VPC)
- pivot via shared or over-privileged IAM roles
- access data cross-process exposed in
/tmpduring warm start invocations
- exfiltrate the account id via get-caller-identity and attack outside-in
- OWASP Serverless Top 10
- The 12 Most Critical Risks for Serverless Applications)
- Hacking the Cloud: Lambda Persistence
- Hacking the Cloud: Steal IAM Credentials and Event Data from Lambda
- fwd:cloudsec 2020 - Winning in the Dark: Defending Serverless Infrastructure
- Hacking Serverless Runtimes Profiling Lambda, Azure, and more.
- CloudGoat goes Serverless
- Conversation in CloudSecForum on threat modeling "run something in python/node sandbox"