Lambda Runtime Security Policy

[willfarrell]

With all of the supply chain attacks happening these days, I was recently reminded about @puresec/function-shield which existed pre node v12 (It was even part of middy for a while). It allowed the blocking of outbound connections, read/write to tmp, access to source code, and running of child processes. Currently I run all of my lambdas within private subnets with VPC Endpoints to prevent any outbound traffic. It is possible to whitelist domain using AWS Network Firewall, but it's super expensive for just for a couple of lambdas. It would be nice if it was possible to harden the security of lambdas further and without additional complexity and trade offs.

Dream implementation:

• whitelist urls (with path)
• whitelist folders/files that can be written to using fs (this includes chmod, unset, rm, etc)
• whitelist folders/files that can be read using fs, after runtime has been started.
• prevent the use of child_process to run code
• prevent the use of string interpreters like eval, Function, vm, execScript, etc

Not sure if this is better suited for the lambda team or the nodejs community as a whole. I'm sure others are talking about this, but I haven't heard of any movement in this area in years.

Ref:

• npm package https://www.npmjs.com/package/@puresec/function-shield
• npm package docs https://github.com/puresec/FunctionShield
• middy middleware docs https://github.com/middyjs/middy/tree/1.x/packages/function-shield
• recent video on lambda security https://www.youtube.com/watch?v=cDj5j1qOVyw&t=1430s
• OWASP https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions
• Deno approach: https://deno.land/manual/getting_started/permissions
• capabilities approach https://josephg.com/blog/node-sandbox/
• https://blog.logrocket.com/how-to-protect-your-node-js-applications-from-malicious-dependencies-5f2e60ea08f9/

cc @lmammino

[saragerion]

Thanks so much for opening this discussion.

Not sure if this is better suited for the lambda team or the nodejs community as a whole.

That's a fair observation and I am inclined to think as such, but I'd be keen to hear what other folks from the community think on this matter.

[willfarrell]

Seem Node.js has taken up the challenge.

https://nodejs.org/en/blog/announcements/v20-release-announce#permission-model