In serverless architectures, the serverless provider is responsible for securing the data center, network, servers, operating systems and their configurations. However, application logic, code, data and application-layer configurations still need to be robust and resilient to attacks, which is the responsibility of application owners.
We urge all organizations to adopt this document and use it during the process of designing, developing and testing serverless applications in order to minimize security risks. This document will be maintained and enhanced periodically based on input from the community, as well as research and analysis of the most common serverless architecture risks.
The research covers the following topics:
The serverless security shared responsibility model
Traditional application security technologies and their relevancy to serverless architectures