Hey! Recently I’ve presented a talk at BSides Yerevan 2025 about how to attack and defend your AWS Lambda serverless functions. This was my first attending of conference as a speaker and I am proud to be a part of invited speakers pool. Many thanks to CyHub Armenia!
I would like to share my slides and demonstration I showed during my presentation. Don’t forget to mention me when using parts of my materials👀
Slides
You can download the slides here or watch in a widget below:
Demo screencast
Short summary of a talk📝
Main presntation🎥
- Introduction and “whoami”
- Covering AWS Lambda basics and key serverless advantages: cost, scalability, low ops
- Reviewing of Lambda structure: init and handler parts
- Introduction into NIST 830-based security assessment
- Highlighting key Lambda risks: RCE backdoors, environmental variables leaks, SSRF, fork bombs
- Explaining fork bombs and potential billing impacts
- Sharing mitigation strategies: input validation, role separation, logging and billing alarms
Vulnerability demos🔍
- Showing command injection via unsanitized inputs
- Demonstrating SSRF/LFI exploit targeting internal AWS resources
Inspiration✨
My talk was mainly inspired by great research on key AWS Lambda risks by Rami McCarthy. Defenetily check out his wiki and also his blog! I covered only some of the risks from the list in my presentation.