Add Your Heading Text Here


Attacking AWS Serverless Applications

Serverless applications function very differently from traditional ones, both when it comes to operation and the security measures they employ. The fact that serverless apps are structured as numerous small functions creates new opportunities for intruders to exploit the greater attack surface. This course will take both Red and Blue Team approaches to serverless security in AWS, so you’ll learn not just how to passively protect apps, but actively use attackers’ strategies against them.

This course on AWS Serverless App Security begins with a look at the top 10 vulnerabilities in serverless architectures, similar to the OWASP Top 10. In the Red Team section, you’ll learn how to exploit insecure applications using many of the most severe flaws present in serverless. 

The Blue Team approach will have us going through methods of securing serverless applications, including identity and access management, secrets management, and logging and monitoring functions. Finally, we’ll explore serverless vulnerability assessment for SAST, DAST and SCA, as well as CI/CD for serverless functions.

Every individual section in this course features extensive hands-on labs to showcase real-world scenarios and get you to practically try out everything you learn. Our material is a distillation of years of security testing experience, knowledge, and original research across our entire team. Once you’ve completed this course, you’ll be able to take what you’ve learned here and implement it directly in a modern AWS serverless stack.

Try for freeExplore AWS Security
Proficiency Intermediate
Audience Cloud Security
Lessons​ 22
Cloud Labs​ 2
  • Serverless Introduction
    • Understanding Serverless and FAAS(Function-As-A-Service)
    • Introduction to AWS Lambda, S3, Open-FAAS and other Serverless options
  • Serverless Deep-Dive
    • Introduction to the Architecture of Serverless Deployments
    • Hands-on: Deploying a Serverless application
  • Attacking Serverless applications
    • Serverless Architectures Security Top 10 – A Project similar to OWASP Top 10 for Serverless Apps
  • Function Data Event Injection Attacks against FaaS Implementations
    • Hands-on Labs – Function Data Event Injection (Multiple Sources)
    • Other Injection and Remote Code Execution attacks against Serverless Apps
  • Broken Access Control
    • Hands-on: Attacking Stateless Authentication and Authorization (JSON Web Tokens)
      • Algorithm Confusion
      • Inherent JWT flaws – none signed token, etc
    • Attacking Identity and Access Management through Serverless Implementations
      • Hands-on: Attacking with DynamoDB Injection + IAM Permissions creep
  • Other Serverless Attacks
    • Hands-on: Extracting Secrets from FaaS Implementations
    • Hands-on: Leveraging Vulnerabilities like ReDOS to perform Resource Exhaustion Attacks
    • Hands-on: Exploiting Function Execution Order for fun and profit!
  • Securing Serverless applications
    • Identity and Access Management
    • Secret management
      • Hands-on Secrets Management with AWS Secret Manager + Rotation
    • Logging and Monitoring Functions
      • Hands-on: Security Practices for Logging Serverless Functions
  • Hands-on: Serverless Vulnerability Assessment
    • Static Code Analysis[SCA]
    • Static Application Security Testing[SAST]
  • Event Injection with XXE
  • Insecure Deserialization in Serverless Apps
Get startedExplore AWS Security