The security case for serverless just got stronger
|
AI agents can now scan an entire open-source codebase for exploitable vulnerabilities in hours. Frontier models carry the complete library of known bug classes in their weights. So you can simply point an AI agent at a codebase and tell it to find zero-days. This isn't theoretical. Willy Tarreau, the HAProxy lead developer, reports that security bug reports have jumped from 2–3 per week to 5–10 per day. Greg Kroah-Hartman, the Linux kernel maintainer, described what happened: "Months ago, we were getting what we called 'AI slop' - AI-generated reports that were obviously wrong or low quality. Something happened a month ago, and the world switched. Now we have real reports." What this means in practice is that the window between a vulnerability existing and an exploit being available has shortened significantly. But your patching cadence was calibrated for a world where that window was weeks or months. That assumption no longer holds. This is where managed services have a structural advantage. When Log4Shell dropped in December 2021, AWS patched Lambda runtimes and other managed services within hours. Most engineering teams were still triaging the CVE. AWS has dedicated teams whose sole job is patching managed infrastructure (Lambda runtimes, RDS, ECS) so you don't have to. Serverless goes even further. Lambda's ephemeral execution environments eliminate entire classes of attacks. Both the OS and runtime* are fully managed and patched by AWS. There are no long-running processes to exploit, no SSH access, and no shared host to pivot across. Each execution environment is isolated and recycled after a few hours**. * not applicable for custom runtimes ** not applicable for Lambda Managed Instances But your application dependencies are still your problem. The npm packages and pip libraries in your Lambda functions are not AWS's responsibility. Those are exactly what agents are being pointed at. The good news is that this capability cuts both ways. AWS Security Agent has gone GA recently, so you can now run pen tests on demand at a fraction of the time and cost of traditional methods (see details here). Also, supply chain attacks are on the rise. Five major open-source packages were compromised this March: Trivy, KICS, LiteLLM, Telnyx, and Axios. Two different groups were behind them, but they were both looking for your API keys and credentials. These packages were targeted because they tend to run in environments with long-lived keys, i.e. CI/CD runners and developer machines. Compromise the package, and the attacker can steal whatever's in the environment or the user's machine. Here are three things you need to do right away: 1. Stop using long-lived AWS keys. This applies everywhere. For developer machines, use AWS Identity Center with "aws sso login". For CI/CD pipelines, use OIDC federation. For on-prem applications that need to access AWS, IAM Roles Anywhere issues short-lived credentials via X.509 certificates. For EC2, Lambda and ECS, use IAM roles to access other AWS services. If your code needs to access other services, don't put the API keys/credentials in environment variables as plain text. Instead, fetch and cache (with TTL) them from SSM Parameter Store/Secrets Manager at runtime, or at least store them as encrypted strings in environment variables. 2. Treat LLM API keys like AWS credentials. The LiteLLM compromise gave attackers keys to every LLM provider you have access to... To mitigate similar attacks in the future, you should:
Oh, and pin dependency to known, trusted versions. Where possible, use settings such as NPM's minimumReleaseAge to avoid newly released package versions. Follow this guide for more NPM best practices. 3. Check for exposed credentials. Run truffleHog or gitleaks across your repos and CI environment variables. It takes 10 minutes and catches a surprising amount of stuff! There is much more you can do, but these are a good starting point. Times are changing, and we need to be more vigilant than ever. Luckily, serverless gives us a big boost and a great baseline to work from! |
Master Serverless
Join 17K readers and level up you AWS game with just 5 mins a week.
Lambda Durable Functions makes it easy to implement business workflows using plain Lambda functions. Besides the intended use cases, they also let us implement ETL jobs without needing recursions or Step Functions. Many long-running ETL jobs have a time-consuming, sequential steps that cannot be easily parallelised. For example: Fetching data from shared databases/APIs with throughput limits. When data needs to be processed sequentially. Historically, Lambda was not a good fit for these...
Step Functions is often used to poll long-running processes, e.g. when starting a new data migration task with Amazon Database Migration. There's usually a Wait -> Poll -> Choice loop that runs until the task is complete (or failed), like the one below. Polling is inefficient and can add unnecessary cost as standard workflows are charged based on the number of state transitions. There is an event-driven alternative to this approach. Here's the high level approach: To start the data migration,...
Lambda Durable Functions comes with a handy testing SDK. It makes it easy to test durable executions both locally as well as remotely in the cloud. I find the local test runner particular useful for dealing with wait states because I can simply configure the runner to skip time! However, this does not work for callback operations such as waitForCallback. Unfortunately, the official docs didn't include any examples on how to handle this. So here's my workaround. The handler code Imagine you're...