Page 1 of 1

Is serverless insecure? Let's find out..aws

Posted: Sat Aug 18, 2018 10:27 pm
by morganism
Is serverless insecure? Let's find out..

"This is a simple AWS lambda function that does a straight exec. Essentially giving you a shell directly in my AWS infrastructure to just run your commands. A security teams worst nightmare.

Do whatever you want. Ultimate goal: take over the account, escalate privs or find some sensitive info."

http://www.lambdashell.com/

Re: Is serverless insecure? Let's find out..aws

Posted: Sat Aug 18, 2018 10:50 pm
by GµårÐïåñ
Serverless, in the context of cloud computing, is not inherently insecure, in fact in many cases the exact opposite.

However, they do NOT secure your code or YOUR actions, that's your portion under the "Shared Responsibility Model" and that means that flaws in your code, are your fault and your responsibility and it is not unique to cloud computing, you can do blunders like this on traditional systems too.

Ultimately the security of the code, app, etc, is the responsibility of the user and their job to ensure they know what they are doing. Just because they allow you to shoot yourself in the foot doesn't mean THEY are insecure, just that you chose to do it that way.