AWS Lambda Security: Attack & Defense

AWS Lambda Security: Attack & Defense

Speaker: Paweł Rzepa



In the last decades, a web server environment has evolved, starting from physical servers, going through virtual machines and containers until most recent serverless computing. With many obvious benefits of serverless computing, some drawbacks came too, including security issues.
Following my in-depth research on AWS security, I dug into serverless computing with some good results. In this presentation, expect:

    • my findings on publishing malicious NPM packages to smuggle malicious code into legitimately looking dependences
    • examples of validation errors in serverless applications, including event injection and Denial of Wallet attacks in open source projects
    • privilege escalation and taking control over the whole AWS environment using RCE in a fugacious, serverless environment
    • insecure default settings of common serverless frameworks
    • how to prevent those attacks
    • how to detect such attacks using native AWS monitoring services
    • lots of demos
    • lots of fun 🙂

The goal of my presentation is not only to raise awareness about security risks but also to share security best practices when developing serverless applications as well as to give practical hints on how to harden the AWS environment and minimize the impact of such attacks.