Cloud Security

Unlocking a New Layer of Serverless Security with Sweet’s Sensor for AWS Lambda

Lea Edelstein

Head of Product

November 21, 2024

Share

Sweet is excited to expand its support into serverless environments, launching a new sensor for AWS Lambda, adding critical runtime context to Lambda native-cloud logs or misconfiguration.

With our new sensor for Lambda, Sweet empowers organizations to see what really happens within their serverless workloads with visibility into application-level activity, such as library misuse or inserting untrusted input into the code.

Integrated as part of Sweet’s comprehensive sensor suite, which spans cloud infrastructure, workloads, and applications across all major cloud providers, the Lambda sensor ensures unmatched visibility and protection for serverless environments.

In this blog, we explore why Sweet created this unique sensor for Lambda and how we solved major blind spots for our customers building and running serverless architectures.

Customer Use Case: A Real Lambda Attack

Recently, one of our customers experienced a potential breach attempt to their serverless environment, specifically targeting a Python Lambda function. The function was using the Pickle library for serialization, which, while a standard Python tool, is known to be vulnerable to remote code execution (RCE) when untrusted data is deserialized.

In this case, the attacker used Pickle to extract sensitive environment variables—including credentials—and sent them to an external IP. From there, they could have gained access to any resource the Lambda function was authorized to interact with, potentially compromising the entire environment.

Example of a malicious user input to a Lambda function.

Before integrating Sweet, the customer was relying on Lambda logs to protect its serverless environment. However, logs primarily focus on external events, which means unless the attacker triggered an explicit API call or generated log entries, their malicious activity would go undetected. When they tried to leverage their CSPM solution to identify what was going on, they were only able to see static configuration changes and were missing critical runtime behaviors insights, such as the misuse of Pickle.

However, Sweet’s Lambda Sensor was able to step in and resolve the issue immediately. Here’s how we helped:

  • Real-time detection: Sweet’s Lambda sensor identified the deserialization attempt through Pickle immediately and alerted the security team.
  • Connection blocking: The sensor flagged the unauthorized connection to an external IP and blocked it in real time, preventing any further data exfiltration.
  • Detailed insight: The security team received detailed insights into the exploit attempt, allowing them to further investigate and recover quickly.

This customer use case showcases the limitations of traditional serverless security and how it fails to detect runtime anomalies and attacks happening inside the Lambda function itself.

Diving Deeper into the Current Limitations of Serverless Security

Serverless environments like AWS Lambda are fast, dynamic, and ephemeral, making them powerful yet challenging to secure. While logs and static analysis for misconfigurations are important, they have inherent limitations:

1. Logs only tell part of the story

Logs track external events (e.g., API calls or connection-level activity) but cannot monitor what happens inside the function.

  • Example: Malicious code that’s injected during runtime may execute without leaving a trace in logs, especially if the activity doesn’t involve external resources.

2.Static misconfiguration detection is limited

Capturing misconfigurations like assigning overly permissive IAM roles or sensitive environment variables are important, but they’re blind to real-time behavior.

  • Example: Misconfiguration checks might confirm correct permissions but cannot detect if those permissions are actively being exploited by runtime vulnerabilities.

Sweet’s sensor for Lambda eliminates these blind spots by monitoring runtime activity directly within the function. It detects anomalies, unauthorized actions, and even blocks malicious activity.

How Sweet’s Sensor for Lambda Solved the Challenge of Securing Serverless Environments

Sweet’s sensor for Lambda integrates seamlessly into your runtime environment as a Lambda layer, offering low overhead and minimal footprint. The sensor works by actively monitoring the function’s runtime environment to detect and block suspicious activities in real time. These include:

Blocking / intercepting malicious behavior in real time: It identifies suspicious activity, such as spawning unauthorized processes or connecting to external IPs, and blocks them before harm is done.

  • Scenario: An attacker injects malicious code into a Lambda function, attempting to execute unauthorized processes.
  • Problem: Traditional tools relying on logs won’t detect the exploit unless it triggers an external event. Internal-only processes, such as file modifications or spawning subprocesses, remain invisible.
  • Solution: Sweet’s Lambda sensor identifies the rogue process and terminates it before it can cause damage, providing full runtime protection.


Analyzing runtime anomalies:
By observing system calls and internal interactions, it detects deviations from expected behavior.

  • Scenario: A function uses an open-source library that is vulnerable, allowing an attacker to execute remote code.
  • Problem: Logs and static analysis provide no visibility into how libraries are used at runtime. They cannot detect misuse or active exploitation.
  • Solution: Sweet’s Lambda sensor flags the vulnerability, preventing the attack and alerting the team for further investigation.

Each of these scenarios demonstrates how runtime visibility enables Sweet’s Lambda sensor to detect and prevent threats that traditional tools simply cannot.

A New Standard for Serverless Security

Sweet’s new sensor for Lambda represents a leap forward in serverless security. By providing real-time runtime visibility and proactive prevention, it ensures your serverless workloads are fully protected against threats that logs and static analysis alone cannot detect. Whether it’s blocking unauthorized connections, identifying runtime vulnerabilities, or preventing exploitation, Sweet delivers unmatched protection for your Lambda functions.

Combined with Sweet’s broader sensor suite, securing workloads and infrastructure across all major cloud providers, the Lambda sensor completes the picture of full-environment security. This integrated approach allows organizations to innovate confidently in the cloud without sacrificing security.

Ready to see Sweet’s Lambda sensor in action? Contact us today for a demo and experience the future of serverless security.

Share the Sweetness