What are the security considerations for serverless applications?
Answer
Serverless security considerations: (1) Least-privilege IAM — each Lambda function should have an IAM role with only the permissions it needs. Avoid * wildcards. Use separate roles per function; (2) Input validation — validate all inputs at the function level; don't trust API Gateway validation alone; prevent injection attacks (SQL injection, command injection); (3) Dependency security — regularly audit and update npm/pip packages; use tools like npm audit, Snyk, or Dependabot; (4) Secrets management — never hardcode secrets; use Secrets Manager or Parameter Store; (5) Function timeout and resource limits — prevent DoS by configuring reserved concurrency limits per function; (6) Logging and monitoring — enable CloudTrail for API call auditing; CloudWatch for anomaly detection; (7) VPC placement — place functions in VPC when accessing private RDS instances; use VPC endpoints to avoid internet traffic; (8) CORS configuration — configure API Gateway CORS precisely, not *; (9) Function URL authentication — require IAM auth for direct function URLs unless intentionally public; (10) WAF — attach AWS WAF to API Gateway for SQL injection and XSS protection.
Previous
What is the event source mapping in AWS Lambda?
Next
How do you architect a multi-region serverless application?
More Serverless Architecture Questions
View all →- Intermediate How do you reduce cold start latency in serverless functions?
- Intermediate What is AWS Step Functions and when would you use it?
- Intermediate How do you handle state in serverless applications?
- Intermediate What is the Serverless Framework and how does it work?
- Intermediate How do you implement authentication in a serverless API?