AWS re:Invent 2025 - Implementing security best practices for serverless applications (CNS360)

Implementing Security Best Practices for Serverless Applications

Securing Serverless Application Architecture

• Discussed a sample serverless application architecture for a fitness tracking app
• Includes an API Gateway, Lambda functions, and a DynamoDB table
• Highlighted key security considerations at each layer of the architecture

Account Boundaries and Separation of Concerns

• Importance of creating separate accounts for development and production environments
• Allows developers to move fast in a sandbox while maintaining strict controls in production

Encryption and Data Protection

• Encryption of Lambda environment variables using KMS
• Encryption of API Gateway caches
• Encryption in transit enabled by default for all serverless services

Identity and Access Management (IAM)

• Controlling the control plane (API calls to AWS) and the data plane (application calls)
• AWS Organizations policies (SCPs) for organization-wide controls
• Resource-based policies and execution roles for Lambda functions

Principle of Least Privilege

• Scoping IAM policies to only the required actions
• Using permission boundaries to limit developer access
• Iterative approach to testing and verifying permissions

Securing API Integrations

• Using Secrets Manager to securely store database credentials
• Avoiding hardcoding secrets in application code

Securing the Development Lifecycle

• Analyzing source code for security vulnerabilities using tools like Amazon Inspector
• Detecting runtime anomalies using Amazon GuardDuty
• Validating event payloads using AWS Lambda Power Tools

Protecting API Endpoints

• Using AWS WAF to protect API Gateway endpoints based on IP, geography, or third-party rulesets
• Leveraging private API endpoints and VPC routing for additional security

Identity-Aware Serverless Applications

• Importance of user authentication and authorization in serverless apps
• Detailed overview of the OAuth 2.0 flow for code authorization and client credentials

Leveraging Amazon Cognito for Identity Management

• Using Cognito to manage user identities and issue access tokens
• Integrating Cognito with API Gateway for token validation

Implementing Fine-Grained Permissions with AWS Verified Permissions

• Using the open-source Cedar policy language to define granular permissions
• Configuring API Gateway to use a Lambda authorizer to validate requests against the permissions

Securing Agentic Serverless Applications

• Extending the serverless fitness app to use an agentic architecture
• Leveraging the Model Context Protocol (MCP) to integrate with various API endpoints
• Applying OAuth 2.0 flows for both inbound and outbound authorization

Key Takeaways

• Implement the principle of least privilege for all IAM policies
• Apply defense-in-depth by leveraging multiple security controls
• Leverage the deep integrations between AWS services to automate security
• Secure the entire development lifecycle, not just the runtime environment
• Consider identity-aware and agentic architectures for advanced security requirements

Recommended Resources

• AWS re:Invent sessions on serverless security and agentic applications
• AWS documentation on security best practices for serverless