Explore foundational security best practices for Lambda with this quiz, designed to enhance your knowledge on permission management, secure environment variables, and safe deployment methods. Improve your understanding of key security principles for designing and executing reliable serverless functions.
Which security principle recommends granting Lambda functions only the permissions they absolutely require, instead of broad access?
Explanation: The principle of least privilege advises that Lambda functions should have only the permissions necessary for their task, limiting possible damage from compromised components. 'Open access' and 'Maximum privilege' are risky because they provide unnecessary rights. 'Privilege escalation' is a security problem to be avoided, not a principle to follow. By applying least privilege, exposure to threats is minimized.
What is the recommended way to store sensitive data like passwords or API keys used by Lambda functions?
Explanation: Storing sensitive information in encrypted environment variables helps keep credentials secure and separate from the Lambda code. Hardcoding secrets in the code or placing them in public repositories exposes them to unauthorized users. Plain text logs are insecure as they can be easily accessed and read. Encrypting variables adds a protective layer for confidential data.
How can you prevent a Lambda function from accessing unauthorized external networks or systems?
Explanation: Strict network and firewall settings help control what the Lambda function can reach, preventing unwanted network access. Increasing timeout or memory does not affect network security, but rather performance. Disabling error handling does not contribute to access restrictions. Proper network controls are essential to limit exposure.
What best practice should be followed to manage third-party libraries and dependencies in Lambda functions?
Explanation: Regular auditing and updating of dependencies help prevent exploitation through known vulnerabilities in third-party code. Ignoring updates risks leaving security holes open. Downloading dependencies on each invocation can introduce performance and security issues. Outdated libraries might have unpatched flaws, making them unsafe.
Which security measure helps to prevent injection attacks in Lambda functions that process user input, such as processing form submissions?
Explanation: Sanitizing and validating user input stops malicious data from being executed, which guards against injection attacks. Increasing timeout or disabling encryption does not address input security. Using public APIs without restrictions may expose functions to unvalidated content or attackers. Proper input handling is the key defense in this case.
When using logs in Lambda functions, what should you avoid to maintain good security practices?
Explanation: Logging sensitive information like passwords creates a serious risk if logging systems are accessed by unauthorized parties. Logging execution status, errors, and invocation times is standard practice and aids monitoring without exposing confidential information. Always ensure logs are free from secret data.
Why is it important to assign specific execution roles to Lambda functions instead of sharing one role with all functions?
Explanation: Assigning unique roles per function ensures that each Lambda function only has the permissions it truly needs, enhancing security. Sharing one role across all functions can create excessive privileges and potential risks. The answer does not relate to deployment speed, storage, or code size. Tailoring roles strengthens access control.
What is one reason security best practices recommend setting reasonable timeout values for Lambda functions?
Explanation: Reasonable timeout settings reduce the likelihood of functions being exploited for prolonged execution, limiting the potential for denial-of-service or resource exhaustion attacks. Timeout settings do not enhance computational power, code readability, or storage. Controlling execution time is a practical step toward security.
How should Lambda code be protected during deployment to prevent unauthorized changes?
Explanation: Cryptographic checks ensure the code being deployed has not been altered by unauthorized parties. Storing code in public folders or allowing anonymous changes exposes it to tampering. Disabling versioning removes the ability to roll back to a known-good state. Integrity verification helps maintain trusted deployments.
Which method helps improve Lambda security when the function is triggered by an API call?
Explanation: Adding authentication and input validation at the API gateway reduces the risk of unauthorized access and harmful data reaching the Lambda function. Accepting all inputs or exposing the API broadly increases vulnerability to attacks. Disabling monitoring eliminates security visibility. Layered defenses at the API gateway enhance overall function protection.