Learning Serverless Security (Joshua Arvin Lat) (z-library.sk, 1lib.sk, z-lib.sk)

Praise for Learning Serverless Security An exceptional gateway for aspiring serverless security practitioners. From high-level introductions to hands-on labs and deep dives, this book accelerates learning for non-IT beginners and advanced practitioners alike—making the following accessible to all: complex cybersecurity concepts, mitigations, and quite frankly, even hacking techniques! —Jasper Riane D. Mendoza, senior solutions architect, Worldwide Public Sector, Amazon Web Services This book is a must-have for DevSecOps professionals, application security engineers, and AppSec pentesters. Joshua addresses the current threats and vulnerabilities in serverless applications before delving deeper into exploiting them with practical attacks, such as privilege escalation and creating backdoors. He really knows how attackers think and how to secure your assets. —Jay Turla, principal security researcher (automotive) This book provides a deep, practical walkthrough of serverless security, from identity access misconfigurations and exposed functions to patterns and event-driven attacks. It’s an invaluable resource for engineers securing real-world workloads across major cloud platforms. —Rafi Quisumbing, award-winning AWS Hero, Fractional CTO, and cloud advisor As someone who has worked in academia, government, and industry, I consider this book a rare link between theory and practice and value the clarity it provides in demystifying serverless risks. Complex threats become understandable through practical insights. —Mars Cacacho, cybersecurity senior manager, founder, Hackthenorth.ph

A great primer on serverless security. This book teaches you that protecting serverless apps is more than protecting your functions, cloud storage resources, and access keys. It shows you different ways attackers can compromise your cloud applications running on AWS, Google Cloud, and Azure. —Raphael Jambalos, head of application modernization and security, eCloudValley Philippines This book doesn’t just explain serverless security—it demonstrates it hands-on. By walking the reader through realistic attack paths and concrete mitigations, Learning Serverless Security equips engineers to think like both builders and attackers. —Adelen Festin, software engineer As AI coding tools accelerate serverless development, security becomes the critical differentiator. This book equips vibe coders, developers, security engineers, and architects with essential multi- cloud expertise to defend applications in the age of AI-assisted development. —Jason Torres, founder, BetterGov.ph Joshua provides essential hands-on training in serverless security across all major cloud platforms. The vulnerable-by-design labs brilliantly demonstrate both attack and defense techniques. This practical approach transforms security theory into actionable skills, a must-read for cloud architects and security professionals. —Diwa “Wawi” del Mundo, founder of Apper Digital, Inc. (AWS Advanced Tier Services Partner, Google Cloud Partner) A well-structured and timely guide to serverless security. The risk assessments and controls are practical, relevant, and easy to apply. This is a book that both experienced cybersecurity professionals and newcomers will benefit from. —Felix Marasigan, security operations center - head, G-Xchange Inc. (GCash)

Finally, an excellent hands-on guide that tackles various security challenges of serverless applications across AWS, Azure, and Google Cloud! With tons of real-world examples, including steps to secure your AI-powered serverless apps, it is especially relevant in today’s AI-driven industry. —Jon Bonso, CEO, Tutorials Dojo Having worked with serverless technologies on AWS for five years, I was impressed that this book summarizes everything you need to know about serverless: architectural patterns, access controls, best practices, and even hacking. —Seaver Choy, engineering director, First Mate Technologies This book is a refreshing take on serverless security. It goes beyond the usual “secure your functions” narrative and instead examines the full picture of how identity, storage, networking, CI/CD, and application code come together in real serverless systems. It connects the dots across services and software layers, showing that security isn’t something you bolt into serverless functions, but something you design across the entire architecture. It’s practical, insightful, and grounded in how serverless actually works in production, not just how it’s marketed. —Michael Angelo C. Rayco, global cloud solutions architect, International Rice Research Institute

Learning Serverless Security Hacking and Securing Serverless Cloud Applications on AWS, Azure, and Google Cloud Joshua Arvin Lat

Learning Serverless Security by Joshua Arvin Lat Copyright © 2026 Joshua Arvin Lat. All rights reserved. Published by O’Reilly Media, Inc., 141 Stony Circle, Suite 195, Santa Rosa, CA 95401. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (https://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com. Acquisitions Editor: Simina Calin Development Editor: Rita Fernando Production Editor: Gregory Hyman Copyeditor: Sharon Wilkey Proofreader: Andrea Schein Indexer: WordCo Indexing Services, Inc. Cover Designer: Karen Montgomery Cover Illustrator: Monica Kamsvaag Interior Designer: David Futato Interior Illustrator: Kate Dullea Technical Reviewers: Adelen Festin, Raphael Jambalos, Anil Moka, Sathiesh Veera, and Wietse Venema

February 2026: First Edition Revision History for the First Edition 2026-02-17: First Release See https://oreilly.com/catalog/errata.csp?isbn=9781098149017 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Learning Serverless Security, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. The views expressed in this work are those of the author, and do not represent the publisher’s views. While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights. 978-1-098-14901-7 [LSI]

Preface In the last few years, more organizations around the world have started to embrace the serverless computing paradigm when building scalable and reliable applications in the cloud. Tooling and support for managing serverless applications across a variety of cloud platforms have significantly improved as well. To support the increased adoption of serverless computing services and architectures, cloud platforms such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud continue to push the limits of serverless computing through the addition of services and capabilities in their product offerings. That said, this increased adoption of serverless and cloud computing has also increased the risk of data breaches as more companies store their data in the cloud without having a solid understanding of serverless and cloud security. Despite these trends, a big gap exists in serverless security knowledge and expertise. Security professionals are still catching up on the evolving set of techniques for hacking and securing serverless applications in the cloud. This book aims to bridge this gap by diving deeper into the offensive and defensive security strategies when dealing with modern serverless architectures. Who Should Read This Book This book is for security engineers, cloud engineers, developers, security architects, and penetration testers responsible for managing, auditing, and securing their cloud infrastructure. This book is targeted toward professionals with experience using cloud services who are planning to dive deeper into cloud and serverless security.

You are expected to have a good understanding of the concepts of cloud computing and security. Basic knowledge of serverless computing and the fundamental services of AWS, Google Cloud, and Azure will help. Knowledge or experience using security tools is optional. Why I Wrote This Book Despite the increased adoption of serverless computing, relatively few books and resources focus on the security of serverless applications and systems. With the opportunity to influence the future of technology, I decided to write this book to help the next generation of technology professionals build more-secure applications in the cloud. I hope that this book will be a useful resource for those interested in learning more about serverless security strategies and best practices. Navigating This Book Here’s an outline of what this book covers: Chapter 1, “Introduction to Serverless Computing”, and Chapter 2, “Understanding Serverless Architectures and Implementation Patterns” I will demystify what serverless computing is, cover common myths and misconceptions, and give you an overview of how serverless applications are implemented on AWS, Azure, and Google Cloud. To help you see how the core principles of serverless computing are applied in practice, you’ll explore some of the most common building blocks, patterns, and solutions used in serverless architectures and examine the relevant security considerations along the way.

Chapter 3, “Diving Deeper into Serverless Security Threats and Risks” You will build upon what you learned in the first two chapters and explore the security considerations relevant to serverless applications. To broaden your understanding of serverless security, you will dive deep into a variety of security threats and risks relevant to serverless computing. Chapter 4, “Exploiting and Securing Exposed AWS IAM Credentials”, Chapter 5, “Exploiting and Securing Misconfigured AWS IAM Roles”, Chapter 6, “Hacking Publicly Accessible AWS Lambda Functions”, and Chapter 7, “Running and Securing Serverless Functions in a VPC” You will focus on AWS serverless security and experience firsthand how attackers exploit misconfigurations and vulnerabilities in serverless applications. You will also learn the best practices for securing the various components and building blocks in serverless applications running on AWS. Chapter 8, “Hacking and Securing Google Cloud Storage Buckets”, Chapter 9, “Abusing Google Cloud Storage Event Triggers with Malicious File Uploads”, and Chapter 10, “Setting Up Backdoors and Escalating Privileges in Google Cloud” You will focus on securing serverless environments in Google Cloud. You will examine common cloud storage bucket misconfigurations, how event triggers can be exploited through malicious file uploads, as well as how attackers can set up backdoors and escalate privileges. In addition, you will learn how to recognize vulnerabilities and misconfigurations in your serverless applications running on Google Cloud, so you can stay one step ahead of attackers. Chapter 11, “Hacking and Securing Azure Functions”, Chapter 12, “Escalating Privileges in Microsoft Azure”, and Chapter 13,

“Analyzing, Auditing, and Securing Serverless Application Code” You will focus on Azure serverless security and dive deep into how attackers exploit misconfigurations and vulnerabilities in serverless functions. You’ll explore privilege escalation techniques specific to Azure, and use various tools and approaches to analyze your serverless application code and its dependencies. Together, these chapters will complete your journey through serverless security by covering areas not fully addressed in previous chapters, helping you secure your serverless applications and systems against a broader range of attacks. Conventions Used in This Book The following typographical conventions are used in this book: Italic Indicates new terms, URLs, and email addresses. Constant width Used for filenames, file extensions, and program listings, as well as within paragraphs to refer to program elements such as variable or function names, databases, data types, environment variables, statements, and keywords. Also used to indicate text that should be typed literally by the user, such as in a UI field. Constant width bold Used to call attention to code snippets of particular interest, within the context of the discussion. Constant width italic Shows text that should be replaced with user-supplied values or by values determined by context.

TIP This element signifies a tip or suggestion. NOTE This element signifies a general note. WARNING This element indicates a warning or caution. Using Code Examples Supplemental material (code examples, exercises, etc.) is available for download at https://oreil.ly/learning-serverless-security-code. If you have a technical question or a problem using the code examples, please send an email to bookquestions@oreilly.com. This book is here to help you get your job done. In general, if example code is offered with this book, you may use it in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission.

We appreciate, but generally do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Learning Serverless Security by Joshua Arvin Lat (O’Reilly). Copyright 2026 Joshua Arvin Lat, 978-1-098-14901-7.” If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us at permissions@oreilly.com. O’Reilly Online Learning NOTE For more than 40 years, O’Reilly Media has provided technology and business training, knowledge, and insight to help companies succeed. Our unique network of experts and innovators share their knowledge and expertise through books, articles, and our online learning platform. O’Reilly’s online learning platform gives you on-demand access to live training courses, in-depth learning paths, interactive coding environments, and a vast collection of text and video from O’Reilly and 200+ other publishers. For more information, visit https://oreilly.com. How to Contact Us Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc. 141 Stony Circle, Suite 195

Santa Rosa, CA 95401 800-889-8969 (in the United States or Canada) 707-827-7019 (international or local) 707-829-0104 (fax) support@oreilly.com https://oreilly.com/about/contact.html We have a web page for this book, where we list errata and any additional information. You can access this page at https://oreil.ly/learning-serverless-security. For news and information about our books and courses, visit https://oreilly.com. Find us on LinkedIn: https://linkedin.com/company/oreilly. Watch us on YouTube: https://youtube.com/oreillymedia. Acknowledgments Writing this book has been a truly rewarding experience, thanks to the unwavering support and invaluable feedback shared by many dedicated contributors. I would like to express my deepest gratitude to the reviewers who generously shared their time, expertise, and valuable input throughout the development of this book. Thank you to Adelen Festin, Raphael Jambalos, Sathiesh Veera, Anil Moka, and Wietse Venema. Your insightful comments and actionable feedback have been invaluable.

Special thanks to the O’Reilly team, including Simina Calin, Rita Fernando, Sara Hunter, Beth Kelly, Gregory Hyman, and Sharon Wilkey for your guidance, support, and attention to detail throughout the publishing process. Many others also played important roles in bringing this book to life, and I am truly grateful for their contributions. Thank you for being part of this journey and helping shape this book into what it is today.

Chapter 1. Introduction to Serverless Computing Do you still remember the first application you built for real end users? My first project was a time-tracking application that allowed a company’s employees to log and keep track of their work hours via a web interface. It was built using a monolithic architecture in which the components were tightly integrated and deployed together. As I started to build more complex applications, I explored various architectures, concepts, and approaches, including multitiered architectures, cyclomatic complexity, automated testing, server autoscaling, microservices, and service-oriented architectures. These helped me and my team manage the complexity and scalability of our deployed systems. Over time, we discovered how to use managed cloud services that made the administration of certain components such as load balancers and databases more tolerable. Using these services reduced the risk of downtime for the systems we had running in the cloud. This proved essential as my team never had a dedicated cloud engineer for managing the cloud infrastructure resources. Because of our lean team structure, nearly everyone from the engineering team focused primarily on building new features and systems. If you find yourself in a similar situation, you may consider using managed cloud services to focus more on innovation and business growth. After seeing the benefits of managed cloud services, I realized that serverless computing could take things further. A few months after AWS Lambda was released, I built and deployed a serverless application that would do the following: Identify all cloud server resources running across all regions

Estimate the cost of keeping these cloud server resources running Send an email to each developer of the team with the relevant details This application would run for only a few seconds each day to remind the developers to manually turn off the cloud resources they used while testing the features they were working on that day. Given that the serverless function resources automatically scaled down to zero when the application was not running, the overall infrastructure cost of running the serverless application I built was zero for an entire year.1 NOTE In this book, I will use serverless and serverless computing interchangeably. After the success of our first serverless project, my team raised a few questions as we considered using the serverless approach for new projects. Here are some of the notable questions we discussed: Are there really no servers involved in serverless architectures? Does this mean that we do not have to worry about cloud infrastructure management work? Can we use serverless for complex, large-scale projects? Which programming languages can we use to build serverless applications? Do we even need to worry about the security of the application and the infrastructure with serverless implementations?

If you are wondering about the answers to these questions, you will find them clearly addressed and explained in this chapter. Using my first serverless project as a case study,2 I’ll take you through what serverless architectures look like, define fundamental terms, and present use cases. We will dive into common myths and misconceptions to give you a thorough understanding of serverless computing. My goal is to bring clarity to the way it really works and refine your perspective on serverless security before we explore the rest of the book. Without further ado, let’s begin! Demystifying Serverless Computing You’ve probably come across the term serverless and wondered whether no servers are really involved. Of course, there are servers behind the scenes! You just don’t have to worry about managing their underlying infrastructure. While you might think this concept is as simple as it seems, it’s an oversimplification of what serverless really is and what it is not. In this section, I’ll demystify serverless computing by taking you deeper into my first serverless project. I’ll walk you through my thought process at the time and discuss how serverless solves various challenges and complexities in the development and infrastructure management process. Then I will define and clarify the concepts surrounding serverless computing, and highlight the scenarios where serverless is most effective. Embracing Serverless One of the primary reasons I explored serverless for my cloud resource-tracking project was its cost-saving potential. Because the application required only a few seconds of runtime each day, the entire system managed to run in the cloud with little to no cost.

You might be curious how exactly my first serverless project operated virtually for free. The cost of using the AWS Lambda service depends on the amount of time the cloud function resources are running, the number of invocation requests, and the amount of memory allocated to the function resource. Since the usage was well within the AWS Free Tier’s limits given that the application ran for at most approximately 30 seconds each day, there were no charges for the services used in this specific application. NOTE Pricing for serverless function services such as AWS Lambda, Microsoft Azure Functions, and Google Cloud Run functions varies depending on resource configuration, invocation frequency, execution duration, data transfer volume, and additional features you choose to enable. As of this writing, various factors influence overall cloud costs when using AWS Lambda functions. These include the cost associated with using other features and capabilities, such as Provisioned Concurrency and SnapStart. Other factors include data transfer costs and additional ephemeral storage usage.3 The smallest Amazon Elastic Compute Cloud (EC2) instance type available at that time on AWS was a t1.micro instance (and later on a t2.micro instance; the nano instances were introduced much later).4 At that point, we were already running several of these instances, with their combined usage far exceeding the AWS Free Tier limits. That being said, running a dedicated server 24/7 for this specific use case would have been wasteful and more expensive than using serverless functions since my script ran for at most approximately 30 seconds per day. The setup shown in Figure 1-1 leverages server-side automated job scheduling that references a configuration file and automatically executes the custom script on a specified schedule. Although this

may look old-school now, it was a go-to option for automating tasks on a server back then. Figure 1-1. A script running inside a dedicated virtual machine instance