Site Logocybersecurity.dev

The Security Benefits and Misconceptions of Serverless Architecture

January 1, 2023

One approach to hosting your app that has gained popularity in recent years is serverless architecture. In this model, your app runs in a fully managed environment, and you only pay for the specific resources and functions that are used. Personally, I understand some of the push-back on the term "serverless" as it is a bit misleading. There is very much still a "server" that your code is sitting on and being "served" from, but your role as sysadmin is greatly diminished, in a mostly positive way. It is certainly not the mole hill I am willing to die on, as we can all simply agree on the spirit of the term.

cybersecurity.dev is hosted on a "serverless" architecture.

Comprised of HTML, CSS, JS files that are placed on an S3 Bucket provided by AWS. The S3 Bucket is configured to serve the files as a static website. The domain name is configured to point to the S3 Bucket. The S3 Bucket is configured to allow public access to the files. That's it. No servers, no sysadmin, no maintenance, no patching, no scaling, no nothing. But keep in mind, that it's just a static website. It's not even a "serverless" architecture, it's just a static website. The only thing that is "serverless" is the fact that I don't have to worry about the server.

There really isn't much to "hack" on a static website.

This brings me to another point, a static site such as this (without users, inputs, API calls, etc), makes for nothing to "hack" (although that won't stop the "legion of dumb bot's" incessant requests /wp-admin 🦾). If/when we allow comments on the site, we will have to consider user input, Cross site Scripting (XSS), etc. but until then, the worse case is someone is able access our S3 bucket and remove/edit files. But this is fixed as simply as rebuild/deploy the site (With MUCH more work and audits on how the heck someone got access to our S3 bucket!)

Of course, this is not to say all static sites are automatically immune from security issues.

Two of many examples to be mindful of:

  • Since everything is available to the client, you risk exposing sensitive information such as API keys, etc.
  • You will also want to audit any backend APIs that are being called from the client, to ensure they are not vulnerable.

There are several security benefits to hosting your app on serverless architecture. One of the main benefits is that you don't have to worry about patching and maintaining servers, as the infrastructure is fully managed by the provider. This can help reduce the risk of vulnerabilities due to outdated software or misconfigured servers. Additionally, serverless architecture can help improve security by providing built-in security controls and monitoring, as well as automatic scaling to handle unexpected traffic spikes.

However, there are also potential security misunderstandings when it comes to serverless architecture.

One common misunderstanding is that because the infrastructure is fully managed, security is completely taken care of. While the provider is responsible for maintaining the underlying infrastructure, it's still important for developers to implement secure coding practices and follow security best practices when building and deploying their app on serverless architecture.

Another potential misunderstanding is that serverless architecture is completely immune to attacks such as Denial of Service (DoS) attacks. While serverless architecture can provide some protection against DoS attacks due to its ability to automatically scale, it's still important to implement proper rate limiting and other security measures to protect against these types of attacks. However, for a truly static site that is loaded on the client, it is very unlikely that a DoS attack would be successful.

All of the above said, there are still measures you can take to help secure your app on serverless architecture. Here are a few best practices:

Implement encryption

Use encryption to protect sensitive data transmitted between your app and users' devices. With AWS Lambda, you can use the AWS Key Management Service (KMS) to encrypt your environment variables and other sensitive data.

Use IAM roles

Use IAM roles to grant permissions to your app and restrict access to resources. This can help protect against unauthorized access to sensitive data or resources.

Implement proper rate limiting

Implement rate limiting to protect against DoS attacks and other types of malicious traffic. With AWS Lambda, you can use AWS WAF to implement rate limiting.

Use security headers

Use security headers such as X-Frame-Options and X-XSS-Protection to protect against cross-site scripting attacks and other threats. With AWS Lambda, you can use the response headers feature to add security headers to your app's responses.

By following these best practices and staying up to date on the latest security threats and trends, you can help secure your app on serverless architecture and take advantage of the many benefits this hosting approach has to offer.