site-logo

JAWS PANKRATION 2024

site-logo
HomeNewsTimetableCfPCommitteePromotionFollow UpPrivacy Policy

Is Serverless safe? ~Hacking AWS Lambda~

Lv300

Lv300

8/24/2024 23:20 (UTC)

Session Info

Serverless environments, like those provided by AWS Lambda, offer managed layers, including OS and middleware, which are maintained securely by the cloud provider. However, are these layers always secure? The answer is no. These layers can be compromised by code with vulnerabilities.

 

This session explains the mechanism behind this, including the architecture of AWS Lambda and the attack process. Additionally, it covers how to protect against such attacks.

Yutaka  Hiroyama

Yutaka Hiroyama

- AWS Top Engineers(APN) -



Session Category
Security
Identity and compliance


AWS Services
AWS Lambda
Amazon CodeGuru
AWS WAF

Session Materials


Session Summary (by Amazon Bedrock)
    Yutaka Hiroyama, working at Target and as a guitar controller consultant, introduces himself and his role in managing teams for operation, automation, and security. His company provides one-stop services for design, application development, construction, and operation, and is an AWS premium partner since 2013. The presentation focuses on an AWS Lambda security vulnerability. Even with commented-out code, attackers can still access data. The architecture of AWS Lambda is explained, including container creation, bootstrap, and handler processes. The attack involves replacing the bootstrap process with a malicious one, which can be difficult to detect. A sample of the altered bootstrap code is shown, highlighting the key points of the attack. The responsibility for this vulnerability lies with the customer, not AWS. The vulnerability affects specific library versions (CVE-2017-18642). To prevent such attacks, a "shift left" approach is recommended, including code scanning, network spreading, and data encryption. "Shift right" focuses on protection through tools like CWPP and managed services. Examples of protection measures include Amazon GuardDuty and AWS WAF. Many customers rely solely on WAF/IDS/IPS, but a comprehensive approach combining both "shift left" and "shift right" strategies is crucial. While the container-based nature of Lambda mitigates some risks, it's essential to understand the architecture and implement appropriate countermeasures. The presenter emphasizes the importance of both proactive (shift left) and reactive (shift right) security measures in protecting cloud environments.

©JAWS-UG (AWS User Group - Japan). All rights reserved.