Serverless security: Understanding risks and best practices for modern cloud workloads

Serverless computing has redefined how organizations build and deploy applications. By abstracting infrastructure management, serverless platforms like AWS Lambda, Azure Functions, and Google Cloud Functions allow developers to focus purely on business logic. Serverless security involves securing the ephemeral, event-driven, and highly distributed architecture that powers these modern applications.

What is serverless security?

Serverless security refers to the set of practices, controls, and tools used to protect applications that run on serverless computing platforms. Unlike traditional security models that emphasize protecting infrastructure and servers, serverless security shifts the focus to code, event triggers, APIs, and permissions.

Since cloud providers are the ones who handle their own infrastructure, responsibilities such as patching the OS, network security, and scaling fall under the provider's domain (as per the shared responsibility model). However, each organization that uses serverless computing platforms remains fully responsible for securing:

• Application logic and runtime behavior: Developers must ensure their functions are free from vulnerabilities like injection attacks, insecure dependencies, or privilege escalation risks within the serverless runtime.
• Event sources and third-party integrations: Since serverless functions are triggered by events (e.g., API calls, message queues, cloud storage changes), organizations must validate inputs and secure all event pathways and integrations to avoid unintended execution or data leakage.
• Identity and access permissions: Role-based access control (RBAC) and the principle of least privilege (PoLP) are critical—each function and component must have only the permissions it needs, and nothing more, to reduce the attack surface.
• Data handling and compliance: Sensitive data must be encrypted in transit and at rest, and organizations need to ensure compliance with regulations like GDPR or HIPAA, even when using ephemeral serverless components.

Benefits of serverless architecture

Serverless architecture offers agility, cost efficiency, and operational simplicity. According to a report by Grand View Research, the serverless security market value is forecasted to reach $12.49 billion by 2030, at a CAGR of 30.8% from 2024. But these benefits also come with unique security considerations.

1. Reduced attack surface

Serverless functions are typically small, single-purpose, and ephemeral. They only run when triggered and shut down immediately after execution. Since they last only for a few seconds, it significantly reduces the window of opportunity for attackers and the number of exposed components compared to traditional, long-running servers. Consequently, this minimizes the overall attack surface, as attackers have insufficient time to establish a foothold or set up persistent backdoors.

2. Inherited security from cloud provider

In a serverless architecture, a significant portion of security responsibility shifts to the cloud provider (such as AWS, Azure, or GCP). The provider is responsible for securing the underlying infrastructure, operating system, virtualization layer, and scaling mechanisms. This offloads a substantial security burden from the user, allowing them to focus on application-level security.

3. Automated patching and updates

With serverless, you don't manage servers or their operating systems. The cloud provider automatically handles patching, updates, and vulnerability management for the underlying infrastructure. This not only ensures your environment is always running on the latest, most secure versions but also eliminates the manual overhead of scheduling, testing, and applying patches, reducing operational effort and the risk of exploitation from known vulnerabilities.

4. Cost and ROI efficiency

Serverless operates on a pay-per-execution model, meaning you only pay for the compute time used—not idle capacity. This model eliminates the need to provision or manage infrastructure upfront, enabling leaner development cycles and faster time-to-market. For CXOs, this translates into optimized cloud spending and measurable ROI, particularly for applications with unpredictable or highly variable workloads.

5. Scalability and resiliency

Serverless functions scale automatically in response to demand—whether it's ten users or ten thousand. The platform handles concurrency, fault tolerance, and regional redundancy natively. This ensures resilient, always-available digital services without the need for manual intervention, making it ideal for mission-critical or globally distributed applications.

Common challenges with serverless security

Despite its many advantages, serverless architecture introduces a unique set of security challenges that differ from traditional workloads.

1. Limited visibility and ephemeral nature

Serverless functions are stateless, event-driven, and often execute for just a few milliseconds. Their short lifespan makes it difficult to capture complete logs or trace anomalous behavior after execution. Traditional security tools that depend on persistent endpoints or agents fall short in this dynamic environment. For example, if an attacker injects malicious input during a brief function invocation, the activity might go undetected without centralized, real-time monitoring.

2. Over-privileged permissions

Serverless functions are often assigned overly broad identity and access management (IAM) roles out of convenience, which contradicts the PoLP. If a single function is compromised, excessive permissions could allow attackers to escalate privileges or access unrelated services. For instance, a function handling image uploads might also have permission to access sensitive customer data due to lax policy definitions, creating unnecessary risk.

3. Dependency and supply chain risks

Many serverless applications depend on open-source packages or external APIs. A vulnerable or malicious dependency can be exploited during runtime without being noticed, especially in the absence of rigorous dependency scanning. The rapid development cycles common in serverless environments can result in outdated libraries being deployed without regular checks, increasing exposure to known CVEs (Common Vulnerabilities and Exposures).

4. Inconsistent security coverage

Security tools built for virtual machines or containers often don’t support serverless runtimes natively. As a result, organizations experience gaps in runtime protection, configuration auditing, and compliance enforcement. This makes it challenging to implement consistent security policies across hybrid environments that include both serverless and traditional components.

5. Denial-of-wallet (DoW) attacks

Unlike traditional servers with fixed capacity, serverless functions scale automatically with demand. Malicious actors can exploit this elasticity by repeatedly triggering functions causing cloud costs to spike dramatically. These DoW attacks don't necessarily disrupt service availability but can result in significant financial impact by exhausting budget limits or quotas.

6. Secret management issues

Serverless functions often need access to credentials, API keys, or tokens to connect to databases, third-party services, or internal APIs. Poorly implemented secret management, such as hardcoding secrets in environment variables or source code can lead to credential leakage. If these secrets are not rotated regularly or managed via a secure vault (e.g., AWS Secrets Manager, HashiCorp Vault), they become a high-value target for attackers.

Best practices for implementing serverless security

To effectively secure serverless applications, CXOs must adopt a cloud-native, code-centric security mindset. The following best practices help address key areas of concern.

1. Embrace a security-first mindset (shift-left security)

Security must be embedded from the start, not as an afterthought. CXOs should champion a DevSecOps culture by integrating security tools like static application security testing (SAST), dynamic application security testing (DAST), and vulnerability scanning directly into CI/CD pipelines. This proactive approach ensures vulnerabilities are identified and remediated before deployment, saving significant time and resources. Furthermore, mandating security training for all development teams will foster a deep understanding of serverless-specific risks and secure coding practices.

2. Redefine "perimeter security" at the function level

Traditional network perimeter security is insufficient for serverless, as each function effectively becomes a potential entry point. CXOs must mandate the implementation of granular access controls, adhering strictly to the PoLP. This means ensuring functions only have the absolute minimum permissions required to perform their specific tasks, thereby minimizing the "blast radius" in case of a compromise. Additionally, some things are crucial to filter malicious requests, such as leveraging API gateways as the primary security buffer for inbound traffic to serverless functions, applying web application firewall (WAF) rules, rate limiting, and input validation.

3. Prioritize identity and access management (IAM) for functions

Weak IAM is a critical vulnerability in serverless environments due to the proliferation of distinct functions and their interactions. CXOs should enforce robust IAM policies for each function, clearly defining what resources it can access and what actions it can perform, avoiding broad, permissive roles. Utilizing cloud provider-native IAM solutions (e.g., AWS IAM, Entra ID (formerly Azure AD), Google Cloud IAM) and considering multi-factor authentication (MFA) for administrative access to serverless environments is vital, alongside regular audits of IAM policies to ensure they remain appropriate and secure.

4. Strengthen data protection across the serverless lifecycle

Serverless functions frequently interact with sensitive data, making protection of this data in transit and at rest paramount. CXOs must enforce encryption for all data, both at rest (e.g., in cloud storage like S3 buckets, databases) and in transit (e.g., using HTTPS for API calls). Implementing a dedicated secrets management solution (e.g., AWS Secrets Manager, HashiCorp Vault, Azure Key Vault) is also a non-negotiable step to store and manage sensitive credentials, API keys, and other secrets, effectively keeping them out of code and configurations.

5. Invest in comprehensive observability

The distributed and ephemeral nature of serverless functions can make visibility a significant challenge for traditional monitoring tools. CXOs should deploy specialized serverless monitoring and logging tools that provide deep, real-time visibility into function execution, performance, and security events, rather than relying solely on basic cloud provider logs. Integrating serverless logs with a security information and event management (SIEM) system is also crucial for centralized analysis, anomaly detection, and automated threat response, enabling the setup of effective alerts for unusual function behavior or unauthorized access attempts.

6. Understand and uphold the shared responsibility model

CXOs must ensure their teams clearly understand what security responsibilities lie with the cloud provider versus what remains with their organization. This involves educating teams on the nuances of the shared responsibility model: while cloud providers secure the "security of the cloud" (e.g., underlying infrastructure, physical security), your organization is responsible for "security in the cloud" (e.g., code, configurations, data, access management). Conducting regular reviews of cloud provider security features and integrating them effectively into your overall security strategy is key to a holistic security posture.

Serverless architectures offer agility, scalability, and operational simplicity—but without built-in security, they can also introduce hidden risks. By rethinking application security at the function level and aligning with cloud-native best practices, organizations can harness the full potential of serverless without compromising their security posture.

Security in a serverless world isn't about protecting servers; it's about securing code, events, identities, and integrations. When implemented with care, serverless security can offer robust protection while enabling faster innovation.