Guides

Security Best Practices

Comprehensive guide to securing your Lambda instances and workloads.

Security Model

Lambda's security is built on defense in depth with multiple layers:

┌────────────────────────────────────────────┐
│  Application Security (Your Responsibility)│
├────────────────────────────────────────────┤
│  Instance Security (Shared)                │
├────────────────────────────────────────────┤
│ Platform Security (Lambda's Responsibility)│
└────────────────────────────────────────────┘

Shared Responsibility Model

Lambda's Responsibilities

✓ Physical security of data centers
✓ Hardware security (secure enclaves)
✓ Hypervisor isolation
✓ Network infrastructure security
✓ Platform software updates
✓ Encryption infrastructure
✓ Blind orchestration

Your Responsibilities

✓ Application code security
✓ Operating system patches
✓ Encryption key management
✓ Access control configuration
✓ Firewall rules
✓ SSH key security
✓ Data backup

Authentication & Access Control

SSH Key Management

Generate Strong Keys

# Use ED25519 (recommended)
ssh-keygen -t ed25519 -C "lambda-production"

# Or RSA 4096-bit
ssh-keygen -t rsa -b 4096 -C "lambda-production"

Key Storage

✓ DO:

  • Store private keys in ~/.ssh with 600 permissions
  • Use SSH agent for key management
  • Encrypt keys with strong passphrase
  • Back up keys to encrypted vault

✗ DON'T:

  • Share keys across multiple machines
  • Commit keys to version control
  • Email keys or send via chat
  • Store keys in cloud storage

Key Rotation

# Generate new key
ssh-keygen -t ed25519 -C "lambda-production-v2"

Add new key to Lambda:

  1. Via Dashboard (Recommended):

  2. Via CLI:

    lambda ssh-keys add --name production-v2 --file ~/.ssh/id_ed25519_v2.pub

Update instances:

lambda ssh-keys update inst_abc123 --add key_new123

# Verify new key works
ssh -i ~/.ssh/id_ed25519_v2 lambda@instance-ip

# Remove old key
lambda ssh-keys update inst_abc123 --remove key_old123

Schedule: Rotate keys every 90 days

Multi-Factor Authentication (MFA)

Enable MFA for your Lambda account:

  1. Go to Dashboard → Settings → Security
  2. Click "Enable Two-Factor Authentication"
  3. Scan the QR code with your authenticator app
  4. Enter the verification code to confirm

Alternative: Use the CLI:

lambda account mfa enable

Recommended Authenticators:

  • Authy
  • Google Authenticator
  • 1Password
  • Bitwarden

API Key Security

Create API keys from the Dashboard:

  1. Go to Dashboard → Settings → API Keys
  2. Click "Create New API Key"
  3. Set name: "production-readonly"
  4. Choose permissions: Read-only or custom permissions
  5. Save the key securely (shown only once)

Alternative: Using the CLI:

# Create API key with specific permissions
lambda api-keys create \
  --name "production-readonly" \
  --permissions "instances:read,metrics:read"

# Rotate API keys regularly
lambda api-keys rotate λ_sk_old123

# Delete unused keys
lambda api-keys delete λ_sk_unused789

Best Practices:

  • ✓ Use environment variables, never hardcode
  • ✓ Create separate keys per application
  • ✓ Grant minimum required permissions
  • ✓ Rotate keys every 90 days
  • ✓ Delete unused keys immediately

Firewall Configuration

Default-Deny Strategy

Start with all ports closed, open only what's needed:

# Default configuration (all closed except SSH)
lambda firewall list inst_abc123

# Open web ports
lambda firewall allow inst_abc123 --port 80 --source 0.0.0.0/0
lambda firewall allow inst_abc123 --port 443 --source 0.0.0.0/0

# Open application port to specific IP
lambda firewall allow inst_abc123 --port 3000 --source 203.0.113.0/24

Common Secure Configurations

Web Server (Public)

# Allow HTTP/HTTPS from anywhere
lambda firewall allow inst_abc123 --port 80 --source 0.0.0.0/0
lambda firewall allow inst_abc123 --port 443 --source 0.0.0.0/0

# SSH from office IP only
lambda firewall allow inst_abc123 --port 22 --source 198.51.100.0/24

Application Server (Private)

# Allow from load balancer only
lambda firewall allow inst_abc123 --port 3000 --source 10.0.1.0/24

# SSH from bastion host only
lambda firewall allow inst_abc123 --port 22 --source 10.0.0.5/32

Database Server (Isolated)

# Allow from app servers only
lambda firewall allow inst_db123 --port 5432 --source 10.0.2.0/24

# No SSH (console access only)
lambda firewall deny inst_db123 --port 22 --source 0.0.0.0/0

Firewall Rules Audit

# Review all rules
lambda firewall list inst_abc123

# Export rules for review
lambda firewall export inst_abc123 --output firewall-rules.json

# Check for overly permissive rules
lambda firewall audit inst_abc123

Encryption

Data at Rest

Default Encryption

All Lambda storage is encrypted by default with your keys:

# Create instance with custom encryption key
lambda create instance \
  --name secure-instance \
  --encryption-key ~/.keys/master-key.pem

Key Management

Store Keys Securely:

# Generate master key
openssl rand -base64 32 > master-key.txt

# Encrypt the key
gpg --encrypt --recipient you@example.com master-key.txt

# Store encrypted key in secure location
mv master-key.txt.gpg ~/vault/
shred -u master-key.txt  # Securely delete plaintext

Key Rotation:

# Generate new key
openssl rand -base64 32 > master-key-v2.txt

# Rotate instance encryption
lambda encryption rotate inst_abc123 \
  --old-key ~/vault/master-key-v1.txt \
  --new-key ~/vault/master-key-v2.txt

Data in Transit

TLS Configuration

# Nginx TLS configuration
server {
    listen 443 ssl http2;
    server_name your-domain.com;

    # Strong SSL configuration
    ssl_certificate /etc/ssl/certs/your-cert.pem;
    ssl_certificate_key /etc/ssl/private/your-key.pem;

    # Only TLS 1.3 and 1.2
    ssl_protocols TLSv1.3 TLSv1.2;

    # Strong ciphers
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers on;

    # HSTS
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
}

Certificate Management

# Install Certbot for Let's Encrypt
sudo apt install certbot python3-certbot-nginx

# Obtain certificate
sudo certbot --nginx -d your-domain.com

# Auto-renewal
sudo certbot renew --dry-run

Operating System Security

Keep System Updated

# Ubuntu / Debian
sudo apt update && sudo apt upgrade -y

# Enable automatic security updates
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

Disable Unnecessary Services

# List running services
systemctl list-units --type=service --state=running

# Disable unused services
sudo systemctl disable service-name
sudo systemctl stop service-name

Configure auditd

Monitor system events:

# Install auditd
sudo apt install auditd

# Add audit rules
sudo auditctl -w /etc/passwd -p wa -k passwd-changes
sudo auditctl -w /var/log/auth.log -p wa -k auth-logs

# View audit logs
sudo ausearch -k passwd-changes

Implement Fail2Ban

Protect against brute force attacks:

# Install fail2ban
sudo apt install fail2ban

# Configure SSH protection
sudo nano /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600
# Start fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Check status
sudo fail2ban-client status sshd

Application Security

Principle of Least Privilege

Run applications as non-root users:

# Create application user
sudo useradd -r -s /bin/false appuser

# Run application as that user
sudo -u appuser /path/to/app

Application Isolation

Use containers for isolation:

# Run Docker container with limited resources
docker run -d \
  --name myapp \
  --memory="1g" \
  --cpus="1.0" \
  --read-only \
  --security-opt=no-new-privileges \
  --cap-drop=ALL \
  myapp:latest

Secrets Management

Never hardcode secrets:

✗ BAD:

const dbPassword = "supersecret123";

✓ GOOD:

const dbPassword = process.env.DB_PASSWORD;

Use secrets manager:

# Store secret
lambda secrets create \
  --name db-password \
  --value "supersecret123" \
  --encrypt-with ~/keys/master-key.pem

# Retrieve in application
lambda secrets get db-password --instance inst_abc123

Network Security

Private Networking

Use VPCs for multi-instance deployments:

# Create VPC
lambda vpn create \
  --name production-vpc \
  --cidr 10.0.0.0/16

# Add instances to VPC
lambda vpn attach inst_abc123 --vpc vpc_xyz789
lambda vpn attach inst_def456 --vpc vpc_xyz789

# Disable public IPs (optional)
lambda network disable-public-ip inst_abc123

Bastion Host

For secure SSH access:

Internet → Bastion Host → Private Instances
# Create bastion
lambda create instance \
  --name bastion \
  --type compute-1x \
  --vpc vpc_xyz789

# Configure SSH forwarding
ssh -J lambda@bastion-ip lambda@private-instance-ip

VPN Access

Connect your office to Lambda instances:

# Create VPN
lambda vpn create \
  --name office-vpn \
  --type site-to-site \
  --local-cidr 192.168.1.0/24 \
  --remote-cidr 10.0.0.0/16

# Download VPN config
lambda vpn config office-vpn --output vpn-config.ovpn

Monitoring & Alerting

Security Monitoring

# Enable audit logging
lambda audit enable inst_abc123

# Configure alerts
lambda alerts create \
  --name "SSH Login Alert" \
  --condition "ssh_login_failed > 5" \
  --instance inst_abc123 \
  --notify email:security@example.com

Log Analysis

# Export logs for analysis
lambda logs export inst_abc123 \
  --start "2026-01-24T00:00:00Z" \
  --end "2026-01-24T23:59:59Z" \
  --output logs.json

# Analyze with tools
cat logs.json | jq '.[] | select(.event == "ssh_login_failed")'

Intrusion Detection

# Install OSSEC (example)
sudo apt install ossec-hids

# Configure alerts
sudo /var/ossec/bin/manage_agents

Incident Response

Preparation

  1. Create incident response plan
  2. Set up monitoring and alerting
  3. Document recovery procedures
  4. Test backup restoration

Detection

Monitor for:

  • Unusual SSH login attempts
  • Unexpected network traffic
  • High CPU/memory usage
  • File system changes
  • Root privilege escalations

Response

  1. Isolate: Disconnect compromised instance
lambda firewall deny-all inst_compromised123
  1. Investigate: Take snapshot for forensics
lambda snapshot create inst_compromised123 --name "forensic-$(date +%s)"
  1. Eradicate: Destroy and rebuild
lambda destroy inst_compromised123
lambda create instance --from-snapshot snap_clean_backup

  1. Recover: Restore from clean backup

  2. Lessons Learned: Document and improve

Compliance

Security Checklists

Daily

  • Review security alerts
  • Check for failed login attempts
  • Monitor resource usage

Weekly

  • Review firewall rules
  • Audit user access
  • Check for system updates
  • Review application logs

Monthly

  • Rotate API keys
  • Update SSL certificates (if needed)
  • Security patch deployment
  • Backup verification
  • Vulnerability scan

Quarterly

  • SSH key rotation
  • Security audit
  • Incident response drill
  • Review access controls
  • Update security documentation

Security Tools

CategoryToolPurpose
Vulnerability ScannerOpenVASScan for vulnerabilities
IDS/IPSSuricataIntrusion detection
Log AnalysisELK StackCentralized logging
Secrets ManagementVaultManage secrets
ComplianceOpenSCAPSecurity compliance
Network SecurityWireGuardVPN solution

Additional Resources

Next Step

Explore the API to automate your infrastructure.

API Overview →

Think Lambda, Think Privacy

Compute Instance Management

Previous Page

API Overview

Next Page

On this page

Security ModelShared Responsibility ModelLambda's ResponsibilitiesYour ResponsibilitiesAuthentication & Access ControlSSH Key ManagementGenerate Strong KeysKey StorageKey RotationMulti-Factor Authentication (MFA)API Key SecurityFirewall ConfigurationDefault-Deny StrategyCommon Secure ConfigurationsWeb Server (Public)Application Server (Private)Database Server (Isolated)Firewall Rules AuditEncryptionData at RestDefault EncryptionKey ManagementData in TransitTLS ConfigurationCertificate ManagementOperating System SecurityKeep System UpdatedDisable Unnecessary ServicesConfigure auditdImplement Fail2BanApplication SecurityPrinciple of Least PrivilegeApplication IsolationSecrets ManagementNetwork SecurityPrivate NetworkingBastion HostVPN AccessMonitoring & AlertingSecurity MonitoringLog AnalysisIntrusion DetectionIncident ResponsePreparationDetectionResponseComplianceSecurity ChecklistsDailyWeeklyMonthlyQuarterlySecurity ToolsRecommended ToolsAdditional ResourcesNext Step