Serverless Security
What’s new on AWS Lambda in 2021
This article explores new updates and documentation for AWS Lambda in 2021. Lambda launched several new updates including run container images, cost saving initiatives, and expanded compute capacity.
AWS Lambda is starting the year right with some major feature upgrades such as extra language support, custom runtime, and layers for more concise coding.
Lambda embodies the powerful features of automation and Infrastructure as Code (IaC), allowing us to get a real feel of what it’s all about. The service makes work more seamless for developers with higher security, reliability and efficiency. Discover why we think you’ll love Lambda as much as we do with our overview, background, and key updates of the service. You’ll also learn how Trend Micro Cloud One™ – Conformity uses Lambda to enable you to build better by following the design principles of the Amazon Web Services (AWS) Well-Architected Framework.
What is Lambda?Lambda is a serverless compute service that automatically runs your code in response to events while managing all the background computing resources, leaving you to pay for only the compute time consumed. You simply upload your code and the service takes care of everything needed to run and scale your code with high availability for virtually any application. You can set up your code to automatically trigger from other AWS services with custom logic or call it directly from any web or mobile app. With all the high availability compute resources and administration and maintenance taken care of, all you need to worry about is the code.
2021 Lambda UpdatesLambda launched several new updates including run container images, cost saving initiatives, and expanded compute capacity. Let’s take a closer look:
Run Container Images in Lambda: AWS provides base images that you can use to build your functions and you can even run them locally using the toolkit for testing. Once you are ready to publish your container image you can push the image into your Amazon Elastic Container Registry (ECR). Enjoy a whole new way to build, test, run, and have fun with serverless functions.
Cost savings initiatives with Lambda: Take advantage of serverless functions with per 1ms billing. Now you only pay for what you use.
Lambda compute capacity now expanded: Enjoy increased capacity for up to 6 vCPUs with up to 10GB of memory. With server-workload-esque capacity, this enhances the ability to use Lambda for a multitude of applications that might be restricted to dedicated compute.
How to build better with Lambda and AWS Well-Architected Framework
A key advantage of using Lambda is it allows developers to build more effectively and efficiently by referencing the AWS Well-Architected Framework. This framework encourages Lambda best practices in four different areas:
- Function code
The primary takeaway here is to keep your code concise. Keep a close eye on the number of dependencies and their complexity, minimise the runtime deployment package and how long it takes to unpack it, and keep connections live for reuse. - Function configuration
Testing is key to ensure that you have the best memory size and timeout value. It’s also important from a security and reliability standpoint that when using AWS Identity and Access Management (IAM), you implement the most-restrictive permissions, delete any unused Lambda functions and be aware of Lambda Limits. - Metrics and alarms
The use of Amazon CloudWatch means you’re able to effortlessly stay up to date with the health of your Lambda functions. With Lambda metrics and dimensions, any application errors are caught. - Working with streams
It’s worth testing with different batch and record sizes to check how well the function is able to complete its task. A large batch size can often increase your throughput, as it’s able to efficiently absorb the invoke overhead. Adding more shards to your Amazon Kinesis Data Streams process is also another way to increase throughput.
How Conformity Uses AWS LambdaConformity is a cloud native service that enables you to fulfill your side of the shared responsibility model with continuous guardrails for your cloud. Providing continuous security, compliance, and governance to help you mange cloud resources in a multi-cloud environment for a strong security posture. Conformity takes building to the next level by monitoring Lambda with its own set of rules to further aid and simplify your build processes. Here’s how the rules work:
- Lambda Runtime Environment Version: Checks that your functions are running on the latest Lambda execution environment version so that they benefit from following best practice. Also ensures you’re accessing the most recent bug fixes and software features for optimum performance and reliability.
- Lambda Cross Account Access: Ensures that your Lambda functions are only accessible by trusted AWS accounts by checking for and highlighting any foreign AWS accounts that have not been explicitly specified in the rule settings.
- Lambda Tracing Enabled: Checks that AWS X-Ray, a Lambda monitoring tool, is enabled against your functions, so you have visibility of the data around requests and performance. This clever service gives you insights so you can spot issues and identify areas for optimisation.
- Function Exposed: Scans for any publicly accessible functions so you can update the related Lambda access permissions to ensure that unauthorised users aren’t sending requests to invoke events.
- Lambda Functions with Admin Privileges: Finds if any AWS Lambda permissions created have been incorrectly given administration permissions so you can rectify it. Shout out to the principle of least privilege.
- Using an IAM Role for More Than One Lambda Function: Respects the principle of least privilege by ensuring that the Lambda IAM role is kept to a strict one-to-one relationship. The IAM role should not be shared between different Lambda functions as each should maintain the minimal amount of access needed to perform its task.
- Enable Encryption for Lambda Environment Variables: Keeps your sensitive information safe by ensuring encryption is enabled.
- Use AWS KMS Customer Master Keys for Lambda Environment Variables Encryption: Ensures that your Lambda environment variables are using AWS Key Management System (KMS) Customer Master Keys (CMK) so you have full control over data encryption and decryption.
- VPC Access for AWS Lambda Functions: Makes sure that your Lambda functions only have access to the virtual private cloud (VPC) resources such as Amazon Redshift data warehouses, Amazon Elastic ache clusters, Amazon Relational Database Service (Amazon RDS) instances, and service endpoints.
At Trend Micro, we’re big fans of IaC and automation and so the use of AWS Lambda is inherently part of our business. Conformity boasts an auto-remediation capability for failed checks. This is provided to you with the code (bundled as a Serverless Framework package) to add directly to your AWS account, which includes a trigger to launch a Lambda function to remediate the issue.
Conformity also offers continuous assurance that your multi-cloud infrastructure configurations are secure, compliant, and optimised according to the design principles of the AWS Well-Architected Framework. Our Knowledge Base of over 750 configuration checks ensure you’re following best practice and that your Lambda functions are performing efficiently and securely so you can build at your best. Check out our free 30-day trial to see for yourself.
Discover how to secure your images with AWS Lambda Serverless Functions: https://www.trendmicro.com/en_us/devops/21/g/secure-your-images-with-aws-lambda-serverless-functions.html