Serverless Security Pitfalls: A 2025 Checklist

15/1/2025
7-minute read

As serverless adoption continues to accelerate in 2025, the security challenges unique to this paradigm have evolved significantly. While serverless architectures eliminate many traditional infrastructure concerns, they introduce specialized attack vectors that require focused attention. This checklist addresses the most critical security pitfalls across AWS Lambda, Azure Functions, and Google Cloud Functions, providing practical strategies to protect your serverless deployments.

The Shared Responsibility Shift

In serverless environments, the shared responsibility model shifts dramatically. Cloud providers manage the underlying infrastructure, but developers remain responsible for:

Responsibility Area	Developer’s Role
Application Logic	Ensuring code security and integrity
Function Configuration	Setting appropriate permissions, timeouts, and memory
Identity & Access Management	Implementing least privilege access
Data Handling	Encrypting sensitive data and managing secrets
Dependency Management	Using trusted, updated libraries
Event Source Security	Validating and sanitizing inputs

This shift demands a security-first mindset that many teams are still adapting to.

Critical Pitfall #1: Over-Privileged Function Permissions

Perhaps the most common and dangerous mistake in serverless security is granting excessive permissions to functions.

Common Anti-Patterns:

Using wildcard permissions (*) in IAM roles
Reusing the same role across multiple functions
Assigning administrator-level permissions for development convenience
Neglecting to regularly audit and prune permissions

Cross-Platform Mitigation Strategies:

AWS Lambda:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::my-specific-bucket/specific-prefix/*"
        }
    ]
}

Azure Functions:

{
    "bindings": [
        {
            "name": "blobItem",
            "type": "blobTrigger",
            "direction": "in",
            "path": "specific-container/{name}",
            "connection": "STORAGE_ACCOUNT_CONNECTION"
        }
    ]
}

Google Cloud Functions:

service: my-function
runtime: nodejs18

service_account: specific-function@my-project.iam.gserviceaccount.com

Implement automated policy analysis with tools like AWS IAM Access Analyzer, Azure Policy, or Google’s Policy Intelligence to identify and remediate over-permissive settings.

Critical Pitfall #2: Insufficient Event Validation

Serverless functions are often triggered by various event sources (HTTP requests, queue messages, database changes), each potentially containing malicious payloads.

Security Implementation:

Validate all inputs at the handler level:

// AWS Lambda Example
exports.handler = async (event) => {
    // Schema validation using a library like Joi or Ajv
    const schema = Joi.object({
        userId: Joi.string().uuid().required(),
        action: Joi.string().valid('read', 'write', 'delete').required(),
        data: Joi.object().required()
    });
    
    const { error, value } = schema.validate(event.body);
    if (error) {
        return {
            statusCode: 400,
            body: JSON.stringify({ error: 'Invalid input' })
        };
    }
    
    // Process validated input
    // ...
};

Implement rate limiting:

AWS: Use API Gateway usage plans and throttling
Azure: Configure rate limiting in Front Door or API Management
Google: Apply Cloud Armor rules for rate limiting

Consider Web Application Firewall (WAF) protection:

Each cloud provider offers WAF services that can be placed in front of serverless endpoints to protect against common attacks like SQL injection, XSS, and bot traffic.

Critical Pitfall #3: Dependency Vulnerabilities

With the average serverless function importing dozens of dependencies, the attack surface expands considerably. Supply chain attacks and vulnerability exploitation remain top concerns.

Risk Mitigation Approaches:

Implement automated dependency scanning:
- AWS: Use Amazon CodeGuru
- Azure: Integrate GitHub Advanced Security or Defender for Cloud
- Google: Utilize Artifact Analysis
Minimize dependency footprint:
- Use lightweight alternatives where possible
- Prune unused dependencies
- Consider bundling only used functions with tree-shaking
Create dependency update pipelines:

# GitHub Actions Example Workflow
name: Dependency Update

on:
  schedule:
    - cron: '0 0 * * 1'  # Weekly on Mondays
  workflow_dispatch:

jobs:
  update-deps:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '18'
      - name: Update dependencies
        run: npm update
      - name: Run security audit
        run: npm audit
      - name: Run tests
        run: npm test
      - name: Create Pull Request
        uses: peter-evans/create-pull-request@v4
        with:
          title: 'chore: update dependencies'
          branch: 'deps-update'

Critical Pitfall #4: Insecure Secret Management

Hard-coded secrets in serverless functions remain surprisingly common, despite the availability of robust secret management services.

Best Practices:

Use dedicated secret management services:
- AWS: Secrets Manager or Parameter Store
- Azure: Key Vault
- Google: Secret Manager
Implement secret rotation:

// AWS Lambda with Secrets Manager
const AWS = require('aws-sdk');
const secretsManager = new AWS.SecretsManager();

exports.handler = async (event) => {
    // Retrieve secret at runtime, not during initialization
    const secretData = await secretsManager.getSecretValue({
        SecretId: 'my-api-key'
    }).promise();
    
    const apiKey = JSON.parse(secretData.SecretString).key;
    
    // Use apiKey in your function logic
    // ...
};

Leverage environment variables for non-sensitive configuration:

# Azure Functions example
      - name: "MY_FUNCTION"
        value: "production"
      - name: "LOGGING_LEVEL"
        value: "warn"

Critical Pitfall #5: Cold Start Security Implications

Cold starts in serverless not only impact performance but also have security implications, particularly around secrets handling and initialization code.

Security Considerations:

Avoid performing sensitive operations during initialization:

// INSECURE pattern
const axios = require('axios');
const apiClient = axios.create({
    baseURL: 'https://api.example.com',
    headers: {
        'Authorization': `Bearer ${process.env.API_TOKEN}`
    }
});

// SECURE pattern
const axios = require('axios');
async function getApiClient() {
    return axios.create({
        baseURL: 'https://api.example.com',
        headers: {
            'Authorization': `Bearer ${await getToken()}`
        }
    });
}

async function getToken() {
    // Retrieve token from secure source
    // ...
}

Implement secure error handling for initialization failures:

# Google Cloud Function example
import functions_framework
from google.cloud import secretmanager
import traceback
import logging

# Initialize outside handler but handle exceptions properly
client = None
try:
    client = secretmanager.SecretManagerServiceClient()
except Exception as e:
    logging.error(f"Failed to initialize secret client: {str(e)}")
    # Don't leak detailed errors in logs
    pass

@functions_framework.http
def handler(request):
    try:
        # Check if initialization succeeded
        if not client:
            return ("Service unavailable", 503)
            
        # Function logic...
    except Exception as e:
        logging.error(f"Function error: {traceback.format_exc()}")
        return ("Internal error", 500)

Critical Pitfall #6: Insufficient Logging and Monitoring

Without proper observability, security incidents in serverless environments can go undetected for extended periods.

Implementation Strategy:

Log security-relevant events consistently:

// Structured logging example
const log = (level, message, data) => {
    console.log(JSON.stringify({
        timestamp: new Date().toISOString(),
        level,
        message,
        requestId: context.awsRequestId,
        functionName: context.functionName,
        ...data
    }));
};

exports.handler = async (event, context) => {
    try {
        log('info', 'Function invoked', { event: sanitizeEvent(event) });
        
        // Function logic...
        
        log('info', 'Function completed successfully', { result: 'success' });
    } catch (error) {
        log('error', 'Function execution failed', { 
            errorMessage: error.message,
            stackTrace: error.stack
        });
        throw error;
    }
};

// Remove sensitive data before logging
function sanitizeEvent(event) {
    const sanitized = {...event};
    if (sanitized.headers && sanitized.headers.Authorization) {
        sanitized.headers.Authorization = '[REDACTED]';
    }
    // Additional sanitization...
    return sanitized;
}

Set up anomaly detection:
- Establish baseline metrics for normal function behavior
- Alert on deviations in invocation patterns, error rates, or duration
- Monitor for suspicious access patterns or unusual data flows
Configure log retention and analysis:
- AWS: CloudWatch Logs Insights or send to security information and event management (SIEM)
- Azure: Log Analytics or Sentinel
- Google: Cloud Logging with Log Analytics

Critical Pitfall #7: Inadequate Data Protection

Data often passes through serverless functions in various states and formats, creating multiple points for potential exposure.

Protection Measures:

Encrypt data in transit and at rest:
- Enforce HTTPS/TLS for all API endpoints
- Use client-side encryption for sensitive data
- Implement field-level encryption for structured data
Implement data lifecycle policies:

# S3 Bucket configuration example
Resources:
  DataBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-sensitive-data-bucket
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      LifecycleConfiguration:
        Rules:
          - Id: DeleteAfter90Days
            Status: Enabled
            ExpirationInDays: 90

Validate data before storing or transmitting:
- Check data against expected formats
- Sanitize outputs to prevent data leakage
- Implement strict CORS policies for browser-accessible functions

Comprehensive Security Testing

A robust serverless security posture requires continuous testing across multiple dimensions:

Testing Type	Tools	Focus Areas
Static Analysis	Checkov, Semgrep, CFN-Lint	Infrastructure as Code, Function Code
Dynamic Testing	OWASP ZAP, Burp Suite	API endpoints, Input Handling
Dependency Scanning	OWASP Dependency Track, Snyk	Supply Chain Vulnerabilities
Penetration Testing	Custom scenarios	Real-world attack simulation
Compliance Scanning	Cloud provider native tools	Regulatory requirements

Conclusion

Serverless security in 2025 requires a holistic approach that addresses the unique characteristics of this architectural pattern. By focusing on these critical pitfalls and implementing the recommended mitigations, you can significantly improve your serverless security posture across AWS Lambda, Azure Functions, and Google Cloud Functions.

Remember that security is a continuous process—threats evolve, and your defenses must evolve with them. Regular review and updating of security practices are essential components of a mature serverless security program.