Start course

As more and more organizations are moving towards a serverless or Function as a Service (FaaS) architecture and framework, understanding how this affects security is essential.  There are both pros and cons to implementing a serverless solution from a security perspective. This course will look at both the benefits and the negatives when adopting a FaaS solution and how this affects the safeguarding of your data.  

Most people have a deeper understanding of IaaS security, but some of the secure methods used within IaaS are not required within FaaS and vice versa.  There are also a number of security threats and concerns which affect both FaaS and IaaS architectures which will also be discussed.  
Towards the end of the course, it explains how serverless is impacted by the OWASP (Open Web Application Security Project) top 10 list of vulnerabilities.

Learning Objectives

By the end of this course, you will

  • Understand and be able to distinguish between the pros and cons of serverless security
  • Understand where to focus additional security controls in a FaaS solution
  • Have a general overview of how security differs to that of a typical IaaS solution

Intended Audience

This content in this course would be beneficial to:

  • Engineers who are focused on delivering secure serverless solutions within an enterprise environment
  • Security architects looking to enhance their knowledge of FaaS solutions
  • Developers deploying applications within a serverless environment


As a prerequisite of this course you should have a basic knowledge and awareness of the following:

  • A general understanding of what Serverless means
  • Understand what FaaS and IaaS relates to
  • A basic awareness of different attack vectors, such as DoS
  • AWS Lambda
  • Amazon Cognito
  • Amazon API Gateway
  • Security controls within IAM




Hello and welcome to this lecture where I just want to highlight and cover the main points taken from the previous lectures. I started this course by discussing some of the security benefits that are to be had with FaaS solutions, and here I covered that using serverless compute, you no longer have the responsibility of managing the instance, as that is performed by AWS. Patch management of your infrastructure is no longer required by the customer. And AWS Lambda is PCI compliant. In a denial of service attack, the resources are automatically scaled out to handle additional load with ease, so it's much harder to disrupt the service. However, this does cause an adverse negative effect, as you would need to pay for any resource consumed during the attack. When using the 512 temporary storage for Lambda invocations, it should only be used for non-sensitive data. This is often used as a cache if your Lambda's RAM is not enough. 

Next I looked at some of the downfalls of serverless security, and these included functions that needed to be managed efficiently due to the associated permissions. It's best practice to remove any unused and unwanted AWS Lambda functions. And for each function you can check the invocatioins count over time and the currently active triggers. If you have zero invocations, or zero active triggers, it's likely it's unused. Third parties can cause a weak link in data transmission, authentication, and encryption. And the number of toolsets to manage, track, monitor, and log serverless environments in detail is still relatively low. 

I then looked at some of the security concerns that exist for both infrastructure as a service and function as a service solutions, and these included the following; data encryption mechanisms should be used for when data is in transit and at rest, especially when working with sensitive data, management of access control to your resources is key, you should work on the least privileged role when assigning permissions to reduce attack service and exposure, ensure you are sanitizing your code, especially when using third party libraries and dependencies, and security best practices should be followed at all times when writing your code to minimize risk and exposure. Your code should be written to only perform that function that it needs to perform, nothing more, nothing less. And application level security is very much a vulnerability in function as a service. 

Following this lecture, I then focused more on the point of application level security, and in this lecture I discussed the following points; FaaS solutions incur the same security threats and exposures for application security when compared to infrastructure as a service solutions, the OWASP top 10 list represents the most critical web application security risks that exist, Amazon API Gateway, and Amazon Cognito can go some way into protecting against injection attacks, Amazon Cognito can help to prevent against broken authentication vulnerabilities, multi-factor authentication should be used where possible for authentication, remove any unused dependencies within your code, use official sources when obtaining your libraries, perform code review and use static analysis tools, and sanitize your inputs to avoid vulnerabilities relating to the OWASP top 10 list. 

That now brings me to the end of this lecture, and to the end of this course. You should now have a greater understanding of some of the security differences between IaaS and FaaS solutions, allowing you to gain a deeper insight into some of the positives and negatives of serverless security. 

If you have any feedback on this course, positive or negative, please do contact us at, your feedback is greatly appreciated. Thank you for your time, and good luck with your continued learning of cloud computing. Thank you.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.