Serverless Security

Risk Mitigation Tools for Serverless

  • Home
  • Risk Assessment
  • Tools
Serverless 4 Tools 28th Aust 2019

10 Common Security Concerns for Serverless

The traditional approach to data security is to secure the network and servers in a fortress mentality with a multi-layer shield of firewalls and controls. With serverless the cloud provider dynamically manages the allocation of machine resources and runs the servers. You do not have access to the servers to manage their security so a different approach to security is needed. In simple terms there is a need to bring the defense systems forward from the datacentre and more towards the end user. As the risks have become better understood, security specialist businesses have developed best practices, security tools and other measures to provide an equivalent multi-layer approach. As use of AWS Lambda and other serverless services has increased, OWASP and commercial organisations have identified common areas of security breaches and advised on ways to limit risk. The top 10 risks are listed below together with links to some tools that can be used.

10 Common Serverless Security Concerns
Risk Tools
Data injection Template modelling, Puresec Lambda-Proxy
Broken authentication Cognito
Insecure deployment configuration Source control
Over privileged permissions Audits
Inadequate monitoring and logging CloudTrail
Insecure 3rd party dependencies Audits
Insecure secrets storage KMS, Secrets Manager
Denial of service and denial of wallet AWS Shield
Execution flow manipulation Puresec Function Shield
Improper exception handling and verbose error messages. Security design reviews

‘Dance Like Nobody’s Watching. Encrypt Like Everyone Is’

Werner Vogels

Open Source Serverless Security Tools

Automated security testing is lagging development and deployment technology but Open Source Free Tools can improve your defences

Mostly for JavaScript or Python

PureSec Lambda-Proxy

for testing AWS Lambda functions

Serverless CLI

Auto-generate least-privilege IAM for AWS Lambda functions. Separate IAM role for each function to reduce blast radius of attacks


Free library from for hardening AWS Lambda functions by preventing data leakage

Nordstrom Artillery

npm package enabling stress testing for serverless


npm package with several utilities for managing AWS Lambda and logging streams

Design Patterns for Microservices
  • Share: