Serverless and Function Security
Identify the unique attack surface of serverless functions (over-privileged IAM roles, event injection, dependency risks) and apply least-privilege and input validation controls.
What Is Serverless Computing?
Serverless computing (Functions as a Service, FaaS) allows developers to deploy individual functions that are invoked by events — HTTP requests, queue messages, database triggers, or scheduled timers — without managing the underlying servers. Leading platforms include AWS Lambda, Google Cloud Functions, and Azure Functions. The cloud provider manages patching, scaling, and infrastructure. While this reduces operational burden, it shifts the security responsibility model: the provider secures the runtime, but the developer is solely responsible for function code, permissions, and configuration.
Unique Serverless Attack Surface
Serverless functions present a distinct attack surface compared to traditional applications: functions are typically short-lived (seconds to minutes), making traditional EDR and network monitoring less effective; they are event-driven, meaning many different input sources (S3 events, API Gateway, SNS) can trigger execution; they often run with IAM permissions that can access other cloud resources; and they consume third-party dependencies (npm, pip packages) that may contain malicious code. The attack surface is defined by event inputs, IAM permissions, and dependency trust chains.