Table of contents

Security layers for AWS Lambda

Application Security provides runtime protection for serverless functions from within, by providing security layers that can be configured to protect the Lambda functions. As a result, both the function code and the third party packages leveraged by the function code are automatically protected.

AWS Lambda provides two ways to package and deploy the serverless functions:

  • functions packaged as archive
  • functions packaged as container images

Application Security provides security solutions for both packaging options.

Protect functions packaged as archive

When Lambda functions are packaged as archive, the runtime protection can be enabled by configuring the Lambda function to include either the Application Security layer, which contains the security algorithms protecting the functions.

Previous releases of the Application Security layers for Python and NodeJS included two versions:

  • custom runtime
  • bare layer

These two versions are replaced by a single protection layer, leveraging AWS Lambda extensions. The new protection layers have the same benefit as the custom runtime (they do not require code change to the function) but they have the added benefit of a much smaller size than custom runtime. The previous versions of custom runtimes and bare layers are deprecated. Instead, the new protection layers will be updated going forward.

AWS Lambda allows layers to be configured with the Lambda function. All the configured layers are uncompressed in the same folder as the runtime packages. For a Lambda function, there is a maximum of 5 layers and a maximum size for all layers of 250 MB (uncompressed). This maximum applies regardless of whether you are using an official AWS runtime or a custom runtime. The Application Security layer size is about 30 MB.

Please refer to Use Application Security layer to protect AWS Lambda functions for detailed procedures.