One of the benefits of Serverless architectures, and AWS Lambda specifically, is that there is #NoOps required to get your code live. You provide the code and deployment, patching and hardware are abstracted away from you.
The issue is, there is still a server. Hot lambda invocations (invoking the function while the cloud provider has your runtime and code provisioned) can allow information leaking across lambda invocations, networks are still a thing, underlying operating systems change and you’re adding code dependencies.
From experience on several serverless projects, this talk will provide a checklist of security concerns to look out for on Serverless projects. Ben covers temporary storage, the granularity of Lambas, IAM policies, observability, API Gateway, and the OWASP Top Ten.
Serverless architectures reduce a lot of the ops and patching work needed to ensure security and availability. That said, they also introduce new attack vectors that are not as well known, simplicity lets you get away without knowing how the underlying machine is working and security basics don’t go away.