TalksAWS re:Invent 2025 - Implementing security best practices for serverless applications (CNS360)

AWS re:Invent 2025 - Implementing security best practices for serverless applications (CNS360)

Implementing Security Best Practices for Serverless Applications

Securing Serverless Application Architecture

  • Discussed a sample serverless application architecture for a fitness tracking app
  • Includes an API Gateway, Lambda functions, and a DynamoDB table
  • Highlighted key security considerations at each layer of the architecture

Account Boundaries and Separation of Concerns

  • Importance of creating separate accounts for development and production environments
  • Allows developers to move fast in a sandbox while maintaining strict controls in production

Encryption and Data Protection

  • Encryption of Lambda environment variables using KMS
  • Encryption of API Gateway caches
  • Encryption in transit enabled by default for all serverless services

Identity and Access Management (IAM)

  • Controlling the control plane (API calls to AWS) and the data plane (application calls)
  • AWS Organizations policies (SCPs) for organization-wide controls
  • Resource-based policies and execution roles for Lambda functions

Principle of Least Privilege

  • Scoping IAM policies to only the required actions
  • Using permission boundaries to limit developer access
  • Iterative approach to testing and verifying permissions

Securing API Integrations

  • Using Secrets Manager to securely store database credentials
  • Avoiding hardcoding secrets in application code

Securing the Development Lifecycle

  • Analyzing source code for security vulnerabilities using tools like Amazon Inspector
  • Detecting runtime anomalies using Amazon GuardDuty
  • Validating event payloads using AWS Lambda Power Tools

Protecting API Endpoints

  • Using AWS WAF to protect API Gateway endpoints based on IP, geography, or third-party rulesets
  • Leveraging private API endpoints and VPC routing for additional security

Identity-Aware Serverless Applications

  • Importance of user authentication and authorization in serverless apps
  • Detailed overview of the OAuth 2.0 flow for code authorization and client credentials

Leveraging Amazon Cognito for Identity Management

  • Using Cognito to manage user identities and issue access tokens
  • Integrating Cognito with API Gateway for token validation

Implementing Fine-Grained Permissions with AWS Verified Permissions

  • Using the open-source Cedar policy language to define granular permissions
  • Configuring API Gateway to use a Lambda authorizer to validate requests against the permissions

Securing Agentic Serverless Applications

  • Extending the serverless fitness app to use an agentic architecture
  • Leveraging the Model Context Protocol (MCP) to integrate with various API endpoints
  • Applying OAuth 2.0 flows for both inbound and outbound authorization

Key Takeaways

  • Implement the principle of least privilege for all IAM policies
  • Apply defense-in-depth by leveraging multiple security controls
  • Leverage the deep integrations between AWS services to automate security
  • Secure the entire development lifecycle, not just the runtime environment
  • Consider identity-aware and agentic architectures for advanced security requirements

Recommended Resources

  • AWS re:Invent sessions on serverless security and agentic applications
  • AWS documentation on security best practices for serverless

Your Digital Journey deserves a great story.

Build one with us.

Talk to us
Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.