This document discusses security considerations for serverless applications. It notes that while serverless applications avoid some security risks related to servers, they also introduce new risks related to application dependencies and access controls. It recommends practices like least privilege access, input/output sanitization, encryption of data at rest and in transit, monitoring for unusual activity, and deleting unused functions. The document emphasizes that people are often the weakest link and proper credentials management is important. It also discusses challenges like denial of service attacks and accidental exposure of functions or data.
77. NPM default - get latest
“compatible” version, ie. 1.X.X
78. clean install (eg. on CI server) will
download the latest, compromised
package without any code change…
NPM default - get latest
“compatible” version, ie. 1.X.X
114. AWS Lambda
docs
Write your Lambda function
code in a stateless style, and
ensure there is no affinity
between your code and the
underlying compute
infrastructure.
http://amzn.to/2jzLmkb
132. AWS Shield Advanced also gives you access to the AWS DDoS
Response Team (DRT) and protection against DDoS related
spikes in your ELB, CloudFront or Route 53 charges.
173. no server*
no OS attacks
no long lived compromised servers
* I know I know, there’s still a server somewhere, but it’s managed and secured by AWS engineers who can do a much better job of it
than most of us can; and the servers are ephemeral and short-lived