Back to Resources

RSAC 2020 Defending Serverless Infrastructure in the Cloud


RSA 2020 (The Human Element), wrapped up in San Francisco last week. Our cloud security expert and principal SANS institute instructor, Eric Johnson was able to connect with industry leaders from around the world. The conference offered an opportunity to both learn and provide groundbreaking information on cloud security and serverless infrastructure.


RSAC 2020 Eric Johnson session


Overall, here were some key takeaways from RSAC 2020:


  1. Securing the public cloud is at an all time high. Organizations are looking for ways to better manage and monitor their cloud resources.
  2. Multi-cloud is the new normal for large organizations. Understanding how AWS, Azure and Google implement their platforms is critical.
  3. Relying on default platform settings is a mistake. Attendees are seeking guidance on how to harden services across all cloud providers.

Defending Serverless Infrastructure in the Cloud

RSAC 2020 Eric Johnson session


Our technical session examined real-world scenarios that security professionals encounter defending Cloud workloads running on Serverless Infrastructure. Attendees saw a series of hands on attack techniques for exploiting serverless functions, and learned how to apply security controls defending against the attack.


The session started with insecure secrets management in Serverless. Live demonstrations showed how a vulnerability in a function can allow attackers to exfiltrate secrets from a configuration file inside the function’s execution environment. Then, how to securely store secrets in a vault protected by the cloud key management service (KMS).


Cloud resources running under the context of a role with excessive privileges have been responsible for countless breaches. Serverless is no exception. Live demonstrations showed how to extract credentials from a function’s execution environment, and used those credentials from a remote machine to gain unauthorized access to data. Attendees saw how to enforce least privilege roles and block external requests for private cloud resources.


Serverless Infrastructure is built on an ephemeral execution environment that is supposed to live for a few hundred milliseconds and then disappear. In practice, does that hold true? Live demonstrations explored how long data actually persists malware in the execution environment. We covered how to harden the execution environment to prevent data persistence and exfiltration.


Concluding the session, we discussed how serverless environments affect forensics and incident response teams. There are no images to analyze, no memory to dump. The only evidence left are audit logs. Session attendees learned how to capture key function events, build cloud dashboards, detect anomalies, and configure alerts to effectively monitor the Serverless Infrastructure.


Attendees walked away with an understanding of the common attacks and practical security controls for defending their Serverless Infrastructure.


Puma Security Serverless Prey

Top 3 Takeaways for those who attended the session

  1. Learned how to reverse engineer function execution environments

  2. Detected compromised credentials

  3. Applied function network controls

Media & Resources

What others said about the session

“Great talk on Defending Serverless Infrastructure in the Cloud, my favorite from yesterday!”


favorite talk at rsa yesterday


“Would you like to know how to defend serverless functions in AWS, GCP, or Azure? Check out this amazing talk by my fellow SANS instructor Eric Johnson.”


Defend serverless functions in aws, gcp or Azure


“Best talk I’ve seen at RSAC” great rsac talk


“Lock down your serverless development” - TechBeacon


tech beacon eric johnson rsac 2020 session


Would you like to learn more about Defending Serverless Infrastructure in the Cloud? Contact us today: sales [at] pumasecurity [dot] com. Make sure to follow our social channels, @puma_scan on twitter and @puma-security-llc on linked in.

About The Author

Eric Johnson’s experience includes application security automation, cloud security reviews, static source code analysis, penetration testing, SDLC consulting, and secure code review assessments. As a co-founder of Puma Security, his passion lies in modern static analysis product development and DevSecOps automation.