Your Lambda functions are running right now, somewhere in AWS’s sprawling data centers, executing code you wrote weeks ago without ever checking if they’re still secure. A critical vulnerability discovered this month doesn’t require hackers to penetrate your defenses—it simply exploits what was always there, hiding in plain sight.
What Exactly Is Happening to Your Serverless Apps
Lambda container images can be exploited through a privilege escalation flaw that grants attackers direct access to the underlying host operating system. This isn’t theoretical—researchers have already demonstrated working exploits that turn a standard Lambda invocation into a doorway to your entire cloud infrastructure, and AWS’s own documentation barely acknowledges the risk exists.
How the Attack Actually Works (And Why Most Teams Miss It)
The vulnerability lives in how Lambda processes container images built with Docker. When you deploy a containerized function, Lambda runs it with certain Linux capabilities enabled by default—capabilities that should have been stripped years ago. An attacker doesn’t need to compromise your code. They just need to invoke your function with crafted input that triggers a known privilege escalation technique, and suddenly they’re running commands as root on the host system.
Most teams never discover this because they’re not looking for it. Your function works perfectly. Your logs show nothing unusual. The attack leaves almost no trace until the attacker has already pivoted to your other services—your databases, your S3 buckets, your Kubernetes clusters running in the same AWS account.
The Container Image Problem
Docker images used for Lambda functions often inherit vulnerabilities from their base images. An old Node.js image from two years ago might contain the exact library version an attacker needs. Lambda doesn’t force you to update these. It runs them exactly as you packaged them, vulnerabilities and all, every single time that function triggers.
Kubernetes and Docker Add Layers of Risk
If you’re running containerized workloads anywhere in your infrastructure—whether in Kubernetes clusters or as Docker containers on EC2—the same image scanning tools that fail to catch Lambda vulnerabilities will also miss these exploits. The problem is systemic. You’re stacking unvetted container images on top of container orchestration platforms without real visibility into what’s actually running inside them.
Why AWS Hasn’t Fixed This (Yet)
AWS’s position is technically defensible: they claim responsibility for security “of” the cloud, while you own security “in” the cloud. Your container image is your responsibility. But this stance creates a gap where vulnerabilities live rent-free. Lambda’s documentation mentions using read-only file systems and removing unnecessary permissions—recommendations buried so deep most developers never read them.
The reality is harsher. You need to act now, not after a breach announcement forces your hand.
What You Actually Need to Do Today
- Scan every container image you use for Lambda with tools like Trivy or Snyk before deployment. Don’t wait for your next deployment cycle. Check what’s running right now.
- Remove Linux capabilities from your Lambda execution role. Use the `securityContext` in your container definition to drop all capabilities except those absolutely required.
- Enforce read-only root filesystems on every function that doesn’t explicitly write to /tmp. This blocks entire classes of attack.
- Update base images monthly, not annually. Set calendar reminders. Make it someone’s job.
- Audit your Kubernetes deployments the same way. If you’re running container workloads there, they face identical risks.
FAQ
Does this affect Lambda functions written in Python or Go natively?
No. Only functions deployed as container images are vulnerable. If you’re using Lambda’s built-in runtime environments (Python 3.11, Go 1.20, etc.), you’re protected by default. But if you’ve containerized anything, you’re exposed.
How do I know if my Docker images have been compromised?
Check your CloudTrail logs for unexpected API calls originating from Lambda execution roles. Look for privilege escalation attempts in VPC Flow Logs. If an attacker gained host access, they’ll likely try to move laterally within your account immediately.
Does enabling Lambda’s built-in secrets rotation protect against this?
It doesn’t. Secrets rotation is useful but orthogonal. An attacker with host access can grab secrets directly from memory or the file system before they expire. You need the container hardening steps described above working in parallel.
Next Step
Pull your AWS Lambda inventory right now. List every function using container images. Run Trivy against those images and document what it finds. You’ll probably be shocked. Start with the functions that have internet-facing API Gateway triggers—those are the easiest entry points. Do this today. Don’t schedule it for next quarter.