By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

security viewpoint: AWS lambda Vs EKS

0

Hi All - My customer is planning to to take AWS lambda for internal board approval and he is asking me to share security viewpoint: eks vs lambda. Do we have any documentation/references in this topic? I did shared some pointers but they are looking for more. Serverless · Control what service/api can invoke Lambda using resource policy. · Control what service can Lambda invoke using IAM Role. · Multiple AuthN/Z methods with API Gateway. · Same security group:subnet combo reuse same ENI (IP). · FedRAMP (high) compliance.

Topics
ServerlessComputeAWS Well-Architected Framework
Tags
AWS LambdaComputeSecurity
Language
English
rePost-User-7848550
asked a year ago592 views
2 Answers
0

I would start with Lambda Security Resources in general:

What specifically are you looking for from EKS perspective in comparison ?

profile pictureAWS
Roly
answered a year ago
  • rePost-User-7848550
    a year ago

    Here some of the differences I gathered

    1. Isolated Environment. Lambda run time uses micro-VMS and not containers. So the run time environments is sandboxed into its own VM and security around that. Even Lambda w/ containers creates a runtime by converting containers to Lambda run time. (Lambda previously used EC2 instance. Now uses micro-VMs, (Firecracker). light weight VMs, but similar to EC2 segregation env.)
    2. Compliance Not only FedRAMP : SOC2, all checked. https://aws.amazon.com/compliance/services-in-scope/ for Lambda
    3. Same security group: subnet combo reuse same ENI (IP). This is a good thing, otherwise VPC will run out IP addresses, It is just a network path and actual security of lambda should be in Invoke API (resource policy).
    4. Lambda doesn’t allow incoming connection. Lambda does not accept incoming internet connections as you set how its triggered - much less work in securing from internet threats!
0

This is a tough question since they are both compute resources but have very different target cases.

From the Lambda product page:

AWS Lambda is a serverless, event-driven compute service that lets you run code for virtually any type of application or backend service without provisioning or managing servers.

This is simply stating that you don't need to worry about any of the OS or security patching in the background, though if you have code with security vulnerabilities or bad practices, then it is still likely to be exploited.

And the EKS Product Page explains that the service is a managed Kubernetes platform. This is to say it's only as secure as you make it since it's easy to leave significant security gaps in your cluster or the app code running in the cluster.

I would take a look at the following resources: AWS Shared Responsibility Model AWS Lambda Security Documentation AWS EKS Security Documentation

Finally, the answer to this really depends on your use case. Focus on what problem you are trying to solve and then secure that solution.

C Mencarelli
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content