Read as
Last updated: April 29, 2026
Why this module exists. Serverless is “no server to harden” — and a new attack surface that most security teams don’t review with the same rigour as VMs.
Why this module exists. Serverless is “no server to harden” — and a new attack surface that most security teams don’t review with the same rigour as VMs. Lambda functions, Cloud Functions, Azure Functions all share patterns: event-triggered execution, IAM-defined permissions, ephemeral compute, third-party dependencies. Each is an attack vector.
The Lambda attack surface — what’s different
- Event sources are inputs. S3 PUT events, API Gateway requests, SQS messages, Kinesis records — all attacker-influenceable. Same OWASP injection patterns apply.
- Execution role = permissions. Lambda doesn’t run as “the user” — it runs as its execution role. If that role is over-permissioned, every Lambda invocation has those permissions.
- Cold start vs warm start. Same underlying micro-VM may serve multiple invocations sequentially. Globals persist. Bugs in init code affect all subsequent calls.
- Dependencies. npm packages, pip wheels, layers — supply chain.
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants