Serverless has become a very popular method of application delivery; it enables organizations to deploy applications without having to manage back-end infrastructure. Organizations often adopt serverless architecture because it reduces costs, enhances developer productivity, scalability, and more.
Serverless offers a number of benefits, but there are also some security risks and issues that must be addressed. We discussed this previously in a dedicated article about the security challenges of serverless architectures, where we covered a number of best practices. We also published articles on more specific issues, e.g, preventing injection attacks on serverless applications and achieving secure authentication on serverless.
In this article, we’ll discuss monitoring, which is another important aspect of serverless security. The complexity of serverless platforms requires focused logging and monitoring solutions that simplify observability. We’ll look at why monitoring serverless applications is important, the inherent challenges of doing so, some best practices to follow, and then end with a list of popular tools to consider.
Why Serverless Monitoring is Important
Traditional security mechanisms don’t apply to serverless applications. Therefore, developers can’t take anything for granted; vulnerabilities that would be rare in a traditional framework must be anticipated, and prevented, in a serverless context. Monitoring plays a key role in this.
For a serverless application, if effective monitoring and logging are not in place, a number of unwelcome problems can arise.
Can’t intercept potential attacks
The most serious breaches usually begin with a reconnaissance phase, where the attackers probe the target for vulnerabilities. If a real-time monitoring system is not in place, the victim won’t know that this is occurring, and security teams can’t take steps to forestall and prevent the attacks.
Can’t block penetration attempts
Inadequate event monitoring of serverless applications could also mean that login failures, access control rejections and server-side input validation failures remain unidentified and unrecorded. Attackers can attempt multiple authentication bypass methods until they successfully gain access to the targeted application and its sensitive data.
Slower response when attacks occur
Appropriate visibility mechanisms include alerts and error messages to be displayed when malicious activity is detected. Serverless applications with improperly configured monitoring can be more easily compromised, since teams cannot quickly and efficiently respond to missing, unclear, or inadequate event-error alerts.
Worse damage from successful attacks
When a serverless application is attacked, the malicious actor typically begins by injecting malicious inputs into the event stream. If events are not closely monitored, a successful attack can penetrate much deeper into the stack without getting discovered, and often the attacker can convert a single exploit into a compromise of multiple system components.
Difficult to improve the security posture
In addition to the acute problems described above, inadequate monitoring can create longer-term problems as well. For example, without detailed monitoring and logging of events, it becomes much harder to track the activities of malicious accounts, and security teams cannot analyze and contextualize normal user behavior.
Challenges of Monitoring a Serverless Framework
Clearly, monitoring is a crucial part of serverless security. However, compared to traditional deployments, serverless applications present unique challenges for monitoring.
First, a serverless application is a collection of one or more ephemeral and isolated functions. While this distributed nature helps with enhanced scalability and efficiency, it also makes it difficult to provision a standard event-data analytics platform to ingest and present application logs. Serverless computing is a relatively new concept (the first publicly available service was AWS Lambda, launched in 2014); industry still does not have a mature stack to enable end-to-end monitoring for application visibility.
In addition to this, the ephemeral nature of serverless functions also make it difficult to trace or reproduce events in the event of a security incident. Also, organizations find it difficult to implement a serverless monitoring solution that easily integrates into CI/CD pipelines while automating code visibility and instrumentation.
To mitigate these problems, the major cloud service providers offer some specialized tools. However, these aren’t necessarily full-featured products for serverless; some are really just extensions of the CSP’s other services. Plus, they are only useful to organizations willing to commit exclusively to one cloud provider for all of their needs, which is becoming less common today.
Having said all that, this is an active and rapidly-evolving space. At the end of this article, we’ll list some tools that are worth investigating.
Before then, let’s discuss some practices that the tools should help you accomplish.
Best Practices for Serverless Security
Monitoring a serverless application presents some unique challenges. The sheer number of data points for logging serverless events makes security visibility and administration difficult, as teams can be overwhelmed with event data. Here are some best practices to help with this.
Apply Perimeter Visibility Mechanisms at the Function Level
Serverless functions break down an application into small, modular components that are executed using events and triggers. This creates more potential attack vectors for hackers to use. Developers and security teams should treat each function as an independent system (which it is), and secure its perimeter as if it were a full-blown integrated application. This includes setting up monitoring mechanisms for events, functions and services, to enable instant detection and remediation of malicious activities.
Create and Monitor Least Privilege Roles for Each Function
Each function should have its assigned role(s), with the least amount of privileges necessary. Monitoring can then be used to continuously assess resource access attempts (or use auto-remediation mechanisms), to ensure that each role has the privileges it needs, but no more.
Monitor Multiple Categories of Events
Some events have obvious security implications, while others are not as clear. Here’s a minimal list of event categories that should be monitored and logged; some of them should also trigger alerts. (Note that this list is for illustration purposes, and is not necessarily meant to be exhaustive; a production system would often do much more than this.)
- Authentication: Failed login attempts are a must for tracking. Successful logins can also be useful.
- Authorization: Failed attempts (due to inadequate privileges) to invoke serverless functions or access resources can be important.
- Communication: Outbound connections from serverless functions can be especially significant.
- Administration: Ideally, the most significant of these would trigger immediate alerts: events such as changes to file/resource permissions, function permissions, function execution roles, and so on. Others events, such as successful deployments, might only be logged.
- Errors and Failure Reports. Some of these should trigger alerts (e.g., access attempts from unauthorized external sources, or anomalous interfunction data flow), while others might only be logged (such as function execution timeouts or concurrent limits being exceeded).
- Security: A good web security solution should automatically display and log the events it generates (e.g., ‘a SQL injection attempt was blocked’). The best solutions will also integrate with a wide variety of other systems, allowing you to consolidate all your monitoring and logging into your reporting solution of choice.
Take Advantage of Your Cloud Provider’s Resources
Each of the major CSPs offer some resources for using their platforms for serverless. You should familiarize yourself with those relevant to your use case.
- AWS: Monitoring and troubleshooting Lambda applications. (See also this and this.)
- GCP: Monitoring Cloud Functions
- Azure: Monitor Azure Functions
Popular Tools for Serverless Security
For many organizations, serverless security is still partially a roll-your-own endeavor, especially in the area of monitoring. Nevertheless, there are some tools that can help. Here are some popular tools to consider.
CloudWatch is a logging and monitoring tool that integrates natively with AWS products. CloudWatch enables the investigation of cold starts and application performance through tracing and profiling. The solution works out of the box for AWS Lambda users, and can integrate with some other serverless platforms for custom applications.
Epsagon is a lightweight serverless monitoring platform that instantly visualizes services automatically. Epsagon has cloud management tools and customizable logs that enable insights into application performance at runtime. The platform relies on service maps, granular tracing and custom dashboards to enhance product and developer productivity.
Snyk is a developer-first platform that uses a custom vulnerability database to provide software teams with security intelligence. With Snyk, software teams can easily find, prioritize, and fix weaknesses in open source code and dependencies. Snyk integrates with existing development stacks and enables proactive vulnerability fixes for optimized application security.
Reblaze provides robust cloud-native security that works just as well for serverless as it does for more traditional architectures. It includes a next-gen WAF, DDoS protection, hostile bot management, ATO (Account Takeover) prevention, API security, and more. Here’s how to contact Reblaze to learn more or schedule a demo.
Serverless functions pose some unique challenges for security. Monitoring and visibility are important, but often neglected, aspects of this. Developers and security teams who implement robust monitoring and alerting mechanisms can greatly improve their serverless security posture, and in so doing, can help their organizations reap the increased velocity benefits of serverless computing.