November 9, 2021

5 Serverless Security Best Practices to Protect Your Cloud Environment

Serverless software architecture is among the thrilling trends in contemporary software development.

With it, your DevOps team can focus on writing code without worrying so much about OS updates, infrastructure, or patches.

However, while cloud application development is simple now, it doesn’t mean writing off the responsibility and need for serverless security.

Continue protecting your cloud environment by maintaining or enhancing your defenses. Here are some serverless security best practices to implement:

1. Leverage serverless security tools alongside WAF protection.

Establishing web application firewalls (WAF) is critical, but you can’t solely rely on them to defend your cloud environment. You need to use robust serverless security tools alongside your WAF protection measures.

Here’s why.

Conventional WAFs can act as the first line of defense against broken authentication, injection attacks, and other security threats. However, they can’t defend your cloud environment from certain occasion trigger types.

WAFs only safeguard the API gateway and assess every HTTP/S request passing through it. They can’t help you if you wish to protect functions not triggered by the API gateway.

That is why serverless security technologies can supplement that gap. They can automate your risk mitigation and beef up your defenses against new attack vectors in serverless functions. They can also heighten your visibility over vulnerabilities.

All these enable your DevOps teams to work more smoothly, experience fewer disruptions to app development, deploy and manage code safely, etc.

2. Perform audits for your cloud-based applications.

Conduct regular application audits to catch any cyber adversary’s attempt to contaminate your applications. This is crucial whether you develop your cloud applications on open-source platforms or relatively secure ones, e.g., Microsoft Azure and AWS.

This practice is additionally significant if you provide cloud computing services. Since they are among the software development trends in 2021, hackers will likely make you their next target and profit from your hard work.

Through code audits, you can uncover outdated or open-source software you may have used or developed. This software type carries bugs and other critical security risks that can harm your code authenticity and ownership.

In case you’re wondering, here’s how that happens:

Applications built on the cloud comprise numerous modules, sub-modules, and libraries. So single serverless functions usually have code running on tens of thousands of lines from several external sources. That still happens even if your developers only created less than a hundred lines of code.

Cyber attackers then attempt to implement the “poisoning the well” tactic. They insert malicious code into projects built on open-source platforms and wait until the new version gets into your cloud applications.

You can then deploy infected software products that can further jeopardize your clients’ IT networks and data assets. This can result in breaches, financial and client trust losses, and even company shutdown, among others.

So, run regular automated and manual code audits to protect the integrity of your code and cloud software products and services, including your business.

3. Run timeouts for your functions.

Restricting how long your functions should run is a serverless security best practice you can’t ignore.

However, creating proper serverless function timeouts isn’t user-friendly since the maximum duration depends on a specific function.

Nevertheless, you need to apply a tight runtime profile for your functions.

Additionally, your DevSecOps teams should take into account the configured timeout against the actual one.

Many developers set up timeouts with the maximum permitted duration since the unused period generates no extra cost.

However, this tactic poses a massive cloud security risk. If cyber attackers succeed in injecting malicious code, they have plenty of time to inflict harm.

Shorter timeouts will prompt hackers to attack more frequently (known as the “Groundhog Day” assault). This exposes them and enables you to stop and catch them.

4. Enforce “one role per function.”

Always try adopting a one-role-per-function principle, and don’t designate a single role for several functions either.

An ideal single function has a 1:1 relationship with a role in your identity and access management (IAM).

When crafting your IAM policies, align them with the principle of least privilege. Remember that excessive permissions are often among the most crucial misconfigurations that cyber adversaries exploit.

Follow these best IAM practices:

  • Build layers of trust through multi-factor authentication: passwords, keys, security passes, biometric information, voice recognition systems, etc.
  • Always keep account credentials to cloud environments confidential.
  • Instead of sharing accounts, create individual IAM user accounts for your employees who need to access cloud resources.
  • Apply distinct sets of permissions for employees according to their responsibilities, job requirements, and other significant factors.
  • Examine your IAM policies regularly.
  • Avoid embedding keys into instances or code. Use the built-in roles or identities instead in platforms you use (e.g., AWS Roles, Azure Service Principal, etc).
  • Remove unnecessary IAM users and their account credentials.
  • Carry out robust password creation protocols: maximum and minimum password length, password expiration, use of special characters, and restrictions on dictionary words and repetitive and sequential characters.

5. Fall back on the three primary information security pillars.

Always refer back to the three essential pillars of information security when tightening your serverless security.

Following are the three pillars and the best practices that fall under each of them:


  • Regulate access by permitting only authorized users and services to communicate with your serverless functions.
  • Enforce the “least privilege” principle when assigning roles and permissions to serverless functions.
  • Limit network entry and exit to and from sources and destinations.
  • Practice the “separation of concerns” security principle and reduce blast radius by creating distinct policies and roles for various functions.


  • Ensure that the function data at rest and in transit are encrypted.
  • Use logging and monitoring tools to boost visibility over your serverless functions, interdependent resources, audit trails, and actions done by or on your functions.


  • Implement sufficient restrictions on memory, compute, concurrency, execution duration, and others to thwart denial-of-service triggered by runaway functions.
  • Monitor account-level restrictions and request a limit increase from your provider if necessary.

No better time than now to prioritize your serverless security

Modern cybersecurity threats continue to evolve and attack the most vulnerable cloud environments — which is why you need to prioritize serverless security. Establishing these and other best practices can go a long way in keeping your business safe and those risks at bay.

Moreover, since serverless functions work differently, take a holistic approach when securing your cloud-native workloads on serverless platforms. Do so consistently when they’re at runtime and across the CI/CD pipelines.

About the author 

Peter Hatch

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}