Created
April 18, 2025 18:30
-
-
Save ran-isenberg/c583b2beb1afe7ab468446888290ba3c to your computer and use it in GitHub Desktop.
lambda_security_check_list.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ✅ AWS Lambda Security Checklist | |
| A practical checklist to help developers write secure AWS Lambda functions—without needing to be security experts. | |
| --- | |
| ## 🔐 Input Validation | |
| - [ ] Validate and sanitize all incoming event data at the start of the handler. | |
| - [ ] Use strict schemas (e.g., Pydantic for Python) and whitelisting. | |
| - [ ] Avoid relying solely on frontend validation. | |
| --- | |
| ## 🔑 Authentication & Authorization | |
| - [ ] Protect API Gateway endpoints with Cognito, IAM, or custom Lambda authorizers. | |
| - [ ] Never rely on API keys as an authentication mechanism. | |
| - [ ] Validate JWTs properly (e.g., signature, claims, expiration). | |
| - [ ] Use fine-grained authorization (e.g., with CEDAR and AWS Verified Permissions). | |
| --- | |
| ## 🔒 Secrets Management | |
| - [ ] Never store secrets in source code or plaintext environment variables. | |
| - [ ] Use AWS Secrets Manager or SSM Parameter Store (SecureString). | |
| - [ ] Validate environment variables with a schema on cold start. | |
| - [ ] Rotate secrets regularly and automate retrieval. | |
| --- | |
| ## 🧱 IAM & Permissions | |
| - [ ] Apply least privilege: only give permissions needed for each function. | |
| - [ ] Avoid `*` in IAM resource or action statements. | |
| - [ ] Do not share IAM roles across unrelated functions. | |
| - [ ] Consider dynamic IAM policies for tenant isolation. | |
| --- | |
| ## 🧪 Dependency & Code Scanning | |
| - [ ] Scan dependencies for CVEs using tools like Amazon Inspector or Snyk. | |
| - [ ] Add static analysis and security scans to CI/CD pipelines. | |
| - [ ] Use tools like `cdk-nag` or `cfn-nag` to catch IaC misconfigurations. | |
| --- | |
| ## 📦 Runtime & Code Integrity | |
| - [ ] Use the latest supported Lambda runtime version. | |
| - [ ] Monitor AWS deprecation notices and plan upgrades early. | |
| - [ ] Use Lambda Code Signing for strict code integrity (advanced use case). | |
| --- | |
| ## 🔥 Error Handling | |
| - [ ] Catch all exceptions and return generic error messages to clients. | |
| - [ ] Avoid exposing internal stack traces or implementation details. | |
| - [ ] Use structured logs for debugging (e.g., with AWS Lambda Powertools). | |
| --- | |
| ## 🔍 Observability & Logging | |
| - [ ] Monitor metrics: latency, error rate, throttling, memory usage. | |
| - [ ] Use JSON structured logs and correlate with tracing (e.g., X-Ray). | |
| - [ ] Never log sensitive data or full event payloads. | |
| --- | |
| ## 🧊 Tenant Isolation (Multi-Tenant) | |
| - [ ] Include `tenant-id` in cache keys for in-memory or DB-based caches. | |
| - [ ] Reset tenant-scoped context/loggers at the end of each invocation. | |
| - [ ] Use IAM assume-role with inline policies for tenant data access. | |
| --- | |
| ## 🛡️ Additional Protections | |
| - [ ] Enable AWS WAF to block common attacks and apply rate-based rules. | |
| - [ ] Use reserved concurrency to isolate noisy neighbors. | |
| - [ ] Implement per-tenant or per-user rate limiting (e.g., usage plans, Redis). | |
| - [ ] Encrypt all data in transit and at rest (e.g., with tenant-specific KMS keys). | |
| --- | |
| ## ✅ Bonus Tips | |
| - [ ] Set appropriate log retention periods. | |
| - [ ] Spread workloads across multiple AWS accounts for blast-radius control. | |
| - [ ] Automate everything—security should scale with your deployment. | |
| --- | |
| *Created by [@RanIsenberg](https://ranthebuilder.cloud) – AWS Serverless hero, consultant and software architect. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment