One of the biggest misconceptions I encountered when moving to a serverless stack was the idea that ‘serverless’ means ‘no security responsibility.’ While it’s true that AWS, GCP, or Azure handle the underlying OS patching and physical hardware, the application layer is still entirely on you. If you leave an IAM role wide open or hardcode an API key in your environment variables, no amount of cloud-provider magic will save your data.
In this guide, I’ll walk you through the serverless security best practices I’ve implemented across multiple production environments to minimize the attack surface and prevent costly leaks. Whether you are using AWS Lambda, Google Cloud Functions, or Azure Functions, these principles apply across the board.
The Fundamentals of Serverless Security
Before diving into the technical configurations, we need to address the paradigm shift. In a traditional server, you secure the perimeter (the firewall). In serverless, the perimeter is fragmented. Every single function is a potential entry point. This is why a ‘Zero Trust’ approach is non-negotiable.
When designing your system, you should always refer back to serverless architecture best practices to ensure your functions are decoupled and single-purpose. A bloated function that does too many things is not only a performance bottleneck but a security liability.
Deep Dive 1: Implementing Least Privilege (IAM Hardening)
The most common mistake I see in serverless apps is the use of ‘Star Permissions’ (e.g., s3:*). This is a disaster waiting to happen. If an attacker finds a code injection vulnerability in your function, they inherit the permissions of the function’s execution role.
The Granular Approach
Instead of giving a function access to all S3 buckets, limit it to a specific bucket and a specific action. Here is a comparison of a ‘Lazy’ vs. ‘Hardened’ IAM policy for a function that only needs to read one specific file:
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::my-app-uploads/user-profiles/*"]
}By restricting the resource and the action, you’ve effectively neutered the potential impact of a breach. I recommend auditing your roles every quarter using tools like AWS Access Analyzer to prune unused permissions.
Deep Dive 2: Secret Management & Environment Variables
I’ve seen developers commit .env files to GitHub more times than I care to count. While environment variables are convenient, they are often stored in plain text in the cloud console and can be leaked through logs or debugging dumps.
Stop Using Plain-Text Env Vars
For sensitive data like Stripe keys or database passwords, move them to a dedicated secret manager (AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault). These tools provide encryption at rest and, more importantly, rotation.
Here is how I typically implement secret fetching in a Node.js Lambda to avoid calling the API on every single request (which adds latency and cost):
const AWS = require('aws-sdk');
const secretsManager = new AWS.SecretsManager();
let cachedSecret = null;
exports.handler = async (event) => {
if (!cachedSecret) {
const data = await secretsManager.getSecretValue({ SecretId: 'Prod/APIKey' }).promise();
cachedSecret = JSON.parse(data.SecretString);
}
// Use cachedSecret.API_KEY here
};Deep Dive 3: Input Validation and API Gateway Hardening
Never trust the event object. Because serverless functions are triggered by various sources (HTTP, SQS, S3 events), they are susceptible to event injection. I always treat the input as malicious until proven otherwise.
Validation Strategies
- JSON Schema Validation: Use API Gateway’s built-in request validation to reject malformed requests before they even hit your function. This saves money (no execution cost) and increases security.
- Strict Typing: Use TypeScript to define the expected shape of your events.
- Sanitization: If your function interacts with a database, use parameterized queries to prevent NoSQL or SQL injection.
As you harden your inputs, remember that you must also verify your logic. Implementing robust serverless testing strategies ensures that your security checks don’t break your actual business flow.
Implementation Checklist for Production
If you’re deploying today, run through this quick checklist:
| Layer | Action | Priority |
|---|---|---|
| Identity | Remove all * permissions from IAM roles |
Critical |
| Secrets | Move API keys from env vars to Secrets Manager | High |
| Network | Configure VPC for functions needing private DB access | Medium |
| Observability | Enable CloudWatch Alarms for unusual 4XX/5XX spikes | Medium |
Core Security Principles for Serverless
To maintain a secure posture, I follow these three guiding principles:
- Ephemeral Everything: Assume your function execution environment is temporary. Don’t store sensitive state in
/tmpfor long periods. - Defense in Depth: Don’t rely solely on the API Gateway. Validate the JWT in the function, check the IAM role, and encrypt the data at the database level.
- Minimize Dependencies: Every npm package you add is a new potential vulnerability (Supply Chain Attack). I use
npm auditand tools like Snyk to monitor my dependencies daily.
Recommended Tooling
You don’t have to do this manually. I use these tools to automate my security audits:
- Snyk: For scanning vulnerabilities in open-source dependencies.
- Checkov: A static code analysis tool for Infrastructure as Code (Terraform/CloudFormation) to find security misconfigurations before deployment.
- AWS X-Ray: To visualize how data flows through your services and identify unexpected calls.
Securing serverless isn’t a one-time task; it’s a continuous process of refinement. If you’re just getting started, I suggest focusing on IAM roles first—they provide the highest ROI for your security efforts.