Security Considerations for AWS Lambda – AWS Security Fundamentals – SCS-C02 Study Guide

Security Considerations for AWS Lambda

Now that you have a general understanding of the AWS Lambda service, you can examine some of the security considerations to be aware of when using it:

  • Set up one IAM role per Lambda and don’t reuse roles across Lambda functions. This ensures that each Lambda function gets the least privileged access needed to perform its duties.
  • Never expose your Lambda function directly; instead, use API Gateway to front the function if it needs exposure to outside users or services.
  • Never store passwords or secrets unencrypted as environment variables or in the Lambda function. Instead, use AWS Secrets Manager or Systems Manager Parameter Store to store and manage the secrets securely and to be able to audit who and what has been accessing the secrets.

With a look at AWS Lambda, this section wrapped up the overview of AWS compute services. Next, you will look at the networking service of Route 53.

Route 53

The global DNS service that AWS provides is Route 53. This is one of the few services in AWS that is not tied to any specific region. The Route 53 service also has one of the most substantial commitments, stating that it will use commercially reasonable efforts to make Amazon Route 53 100% available.

The following three components of Route 53 are of foundational importance:

  • Registration (and management) of domain names
  • The DNS service
  • Health checks (and subsequentially traffic routing) for your web application based on the fact that it’s functional, available, and reachable

This section will cover some of the basic information about the Route 53 service and especially any topics that would be relevant to know for the Security Specialty exam.

Knowing the Difference between a Domain and a Hosted Zone

One of the first differences to understand between a domain and a hosted zone is that a domain is an internet construct of domain name servers that associates a person’s or organization’s unique name with a numerically addressed internet resource. Domains have zone files that are a text-mapping of the different resources and their associated names, addresses, and the type of record in which the asset is currently mapped.

A basic understanding of the Route 53 service is needed for the Security Specialty exam; however, mastery of the difference between a domain and a hosted zone is not something that will be tested.

Route 53 Health Checks

The Route 53 service allows you to check the health of your applications and then reroute their traffic to other servers (or serverless services with an endpoint) based on the rules you provide. You can even see the recent status of your health checks in the web console.