Slide 1
Slide 1 text
Securing your Lambda 101
Slide 2
Slide 2 text
:~/$whoami
• Security Engineer @Yandex Cloud
• Author of quite a few articles on macOS malware
• Former macOS malware analyst @Kaspersky
• /in/mogilin/
2
Slide 3
Slide 3 text
• What are AWS Lambdas?
• Why go serverless?
• How do Lambdas work?
• Security and risk assessment
• Case 1: Abusing environment secrets
• Case 2: Abusing request forgery + demo
• Case 3: Avoiding fork bombs
• Questions and feedback
Agenda
3
Slide 4
Slide 4 text
AWS Lambda is a compute service that runs your code
in response to events and automatically manages the
compute resources, making it the fastest way to turn an
idea into a modern, production, serverless applications.
What are AWS Lambdas?
4
Slide 5
Slide 5 text
Why go serverless?
5
Slide 6
Slide 6 text
Why go serverless?
6
Slide 7
Slide 7 text
Why go serverless?
7
Slide 8
Slide 8 text
Why go serverless?
8
Slide 9
Slide 9 text
• Cost-e
ff
ective. Pay as you go
Why go serverless?
9
Slide 10
Slide 10 text
• Cost-e
ff
ective. Pay as you go
• No ops. No need to provision additional resources, k8s-
clusters, schedulers
Why go serverless?
10
Slide 11
Slide 11 text
• Cost-e
ff
ective. Pay as you go
• No ops. No need to provision additional resources, k8s-
clusters, schedulers
• Speed. Lambda functions provide cached runtime
Why go serverless?
11
Slide 12
Slide 12 text
• Cost-e
ff
ective. Pay as you go
• No ops. No need to provision additional resources, k8s-
clusters, schedulers
• Speed. Lambda functions provide cached runtime
• Scalability. Let your CSP handle the scaling
Why go serverless?
12
Slide 13
Slide 13 text
How do Lambdas work?
Your_code.zip
13
Slide 14
Slide 14 text
How do Lambdas work?
14
import json
import logging
logger = logging.getLogger()
logger.setLevel(logging.INFO)
def lambda_handler(event, context):
# main code goes here…
Init section
Function-handler of the event
Your_code.zip
Slide 15
Slide 15 text
How do Lambdas work?
15
import json
import logging
logger = logging.getLogger()
logger.setLevel(logging.INFO)
def lambda_handler(event, context):
# main code goes here…
Init section
Function-handler of the event
Your_code.zip
context includes:
• function ARN
• CloudWatch log group name
• Lambda request ID
event holds the data of request
Slide 16
Slide 16 text
How do Lambdas work?
16
Slide 17
Slide 17 text
How do Lambdas work?
17
Slide 18
Slide 18 text
Security and risks assessment
Original NIST 800-30 presentation
18
Slide 19
Slide 19 text
Key Lambda risks
*RCE = Remote code execution
**SSRF = Server Side Request Forgery
Rami McCarthy on Lamda risks
1. backdoor Lambda 👉 leak subsequent events via RCE*
2. retrieve the source via RCE*
3. retrieve environment variables, given a
fi
le read
vulnerability or SSRF**
4. given permission to invoke the function, view its logs
5. generate a fork bomb
19
Slide 20
Slide 20 text
What?!
Slide 21
Slide 21 text
Abusing environment secrets
Do you see the vulnerability?👀
21
Slide 22
Slide 22 text
Abusing environment secrets
event[‘prefix’] is unsanitized
and passed directly into bash
22
try event[‘prefix’]=“; env”
Slide 23
Slide 23 text
• Sanitize your input
• No eval() or os.Popen() or any other direct executions
• AWS_SESSION_TOKEN, AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID
should be kept in secret!!
Abusing environment secrets
Lessons learned
23
Slide 24
Slide 24 text
Abusing request forgery
24
Slide 25
Slide 25 text
Abusing request forgery
25
Slide 26
Slide 26 text
Demo
Slide 27
Slide 27 text
• Validate your input — no internal IPs, no excess URL schemes
• One Lambda per one task 👉 least privilege
Abusing request forgery
Lessons learned
27
Slide 28
Slide 28 text
Avoiding fork bombs
28
Slide 29
Slide 29 text
Avoiding fork bombs
29
Slide 30
Slide 30 text
• Avoid recursion — 1 Lambda per 1 task
• Con
fi
gure logging inside Lambda
• Create a billing alarm per service
• Limit concurrent executions (if possible)
Avoiding fork bombs
Lessons learned
30
Slide 31
Slide 31 text
Thank you!
Slide 32
Slide 32 text
Questions? Feedback form