AWS Lambda, launched in 2015, is a service which allows customers to create event driven serverless functions of short duration.
Since then Lambda has become amazingly popular, Lambda functions are widely used for many different purposes ranging from low latency web applications and IoT, to AWS account operational and maintenance tasks.
Just like any other application in the cloud, a vulnerable or poorly configured Lambda function can lead to data loss, privilege escalation and even AWS account takeover, see for example this blog post.
I’ve created “10 steps to Lambda security” based on my experience of working with customers using AWS Lambda:
© 2018 Paul Schwarzenberger www.celidor.co.uk May be used with acknowledgement
Continuous cloud compliance is essential to maintain the security of applications and systems in the cloud. At DevSecCon London next week I'll be talking about my experiences in this area, and how an effective solution needs to include prevention, detection and remediation elements.
In my talk "A journey to continuous cloud compliance", I'll give a live demonstration of techniques and approaches with a system I've built in AWS using Capital One's open source Cloud Custodian project, combined with Lambda functions and other AWS services to provide customised notifications via email and Slack.
Click on the read more link to see other examples of alerts and automated remediation.
As I was developing the course DevSecOps Hands-On I realised the need for a DevSecOps Framework - covered in my earlier blog post - and a DevSecOps Toolkit.
The DevSecOps Toolkit illustrates the spectrum of tools which can be used for various purposes (columns) across the primary system components (rows). The named open source projects and vendors are examples - it's not possible to be completely comprehensive in a single diagram.
An organisation can use the toolkit to help assess their DevSecOps maturity - ideally there should be at least one tool in each area.
This is a very fast moving field – for example “SOAR” – Security Orchestration, Automation and Response – is a new category created in late 2017.