5 ways to secure AWS Lambda for compliance requirements

Compliance regulations mandate robust protections for cloud-based functions and code. As organizations increasingly leverage serverless compute services, proper security controls become critical—especially when handling sensitive data subject to standards like HIPAA or PCI-DSS. 

If your organization uses AWS Lambda, here are 5 ways to lock down Lambda access and secure your functions on the AWS cloud.

• Leverage identity and access management (IAM) controls and tags
• Secure network access to your Lambda functions
• Keep Lambda code up to date
• Review layers before using them in multiple functions
• Protect data confidentiality with encryption
• Start securing your serverless architecture

One of the most critical ways to protect your Lambda functions is to control access to them with identity and access management (IAM) policies. These policies should define who has access and what they can access. 

In addition, you can leverage tags for fine-grained access to your Lambda functions, versions, and layers. For example, tags based on data owner, environment, and application allow you to conveniently filter and manage Lambda resources. For Lambda functions with attached security groups, use matching tags between the function and group to improve consistency and compliance audit visibility.

By default, Lambda permits public internet access to a function. For compliance reasons, you should disable public Lambda access and trigger functions only from a virtual private cloud (VPC) or authorized service to limit exposure and prevent invocation by unauthorized entities. 

Attaching Lambda functions to VPCs protects access to back-end databases and services without exposing them to the public internet. Furthermore, you can use security groups to control network-level access at a more granular level.

You can also use the Amazon API Gateway to handle authentication, authorization, rate throttling, and other API management policies before invoking the Lambda function. Leveraging the gateway allows security teams to protect functions from malicious DDoS attacks that cause service interruption.

Lambda runtimes like Python are periodically updated with security patches. Outdated runtimes increase the risk of vulnerabilities which can be exploited by hackers. To mitigate this risk, organizations should keep runtimes updated to the latest version.

When using Lambda layers to bundle and share code across functions, first scan the code using software composition analysis to detect vulnerabilities in third-party dependencies and libraries. You can also leverage tags on Lambda layers and use approved layer versions to ensure consistency and mitigate the risk of using vulnerable code.

AWS Key Management Service (KMS) gives you the ability to leverage cryptographic keys for encrypting and decrypting data. By encrypting sensitive data such as Lambda environment variables, you can protect confidentiality. 

KMS integrates with Secrets Manager and Parameter Store for encryption using customer master keys. Secrets Manager can securely store secrets like the API keys used and accessed by Lambda functions, with key rotation capabilities. Parameter Store securely stores configuration parameters like database connection strings retrieved by Lambda functions during execution.

With these serverless security controls in mind, you can empower your organization to properly secure your serverless functions and architecture. My Serverless Security Principles course explains how to apply access controls, find vulnerabilities in serverless code, and leverage encryption to improve your AWS Lambda functions' data confidentiality.