1

In a hobby side project I am creating an online game where the user can play a card game by implementing strategies. The user can submit his code and it will play against other users strategies. Once the user has submitted his code, the code needs to be run on server side.

I decided that I want to isolate code execution of user submitted code into an AWS lambda function. I want to prevent the code from stealing my AWS credentials, mining cryptocurrency and doing other harmful activity.

My plan is to do following:

  • Limit code execution time
  • Prevent any communication to internet & internal services (except trough the return value).
  • Have a review process in place, which prevents execution of user submitted code before it is considered unharmful

Now I need your advice on how to achieve best isolation:

  • How do I configure my function, so that it has no internet access?
  • How do I configure my function, so that it has no access to my internal services?
  • Do you see any other possible attack vector?
Improve this question
1
  • Since this hasn't been mentioned yet (even though this question is >2yo at this time), it is worth highlighting that AWS Lamba does not provide for isolation between different requests. eg. /tmp/ persists with the lifetime of the execution environment for every concurrent worker. So AWS Lambda by itself is not sufficient as a sandbox environment (eg. for processing untrusted code in an immutable environment)... which is a shame. Commented Dec 11, 2023 at 4:07

2 Answers 2

Reset to default
2

How do I configure my function, so that it has no internet access?

Launch the function into an isolated private subnet within a VPC.

How do I configure my function, so that it has no access to my internal services?

By launching the function inside the isolated private subnet you can configure which services it has access to by controlling them via the security groups and further via Route Table this subnet attached including AWS Network ACLs.

Do you see any other possible attack vector? There could be multiple attack vectors here :

I would try to answer from the security perspective in AWS Services. The most important would be to add AWS Billing Alerts setup, just in case there is some trouble at least you'll get notified and take necessary action and I am assuming you already have MFA setup for your logins.

  1. Make sure you configure your lambda with the least privilege IAM Role
  2. Create a completely separate subnet dedicated to launching the lambda function
  3. Create security for lambda and control this lambda access to other services in your solution.
  4. Have a separate route table for the subnet where you allow only the selected services or be very specific with corresponding IP addresses as well.
  5. Make sure you use Network ACLs to configure all the outgoing traffic from the subnet by adding ACL as well as an added benefit.
  6. Enable the VPC flow logs and have the necessary Athena queries with analysis in place and add alerts using AWS CloudWatch.

The list can be very long when you want to secure this deployment fully in AWS. I have added just few.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

I'd start by saying this is very risky and allowing people to run their own code in your infrastructure can be very dangerous. However, that said, here's a few things:

Limiting Code Execution Time

This is already built in to Lambda. Functions have an execution limit on time which you can configure easily through IaC, the AWS Console or the CLI.

Restricting Internet Access

By default Lambda functions can be thought of as existing outside the constraints of a VPC for more applications. They therefore have internet access. I guess you could put your Lambda function inside a private subnet in a VPC and then configure the networking to not allow connections out except to locations you want.

Restricting Access to Other Services

Assuming that you are referring to AWS services here, Lamdba functions are bound by IAM roles in relation to other AWS services they can access. As long as you don't give the Lambda function access to something in it's IAM role, it won't be able to access those services unless a potentially malicious user provides credentials via some other means such as putting them in plain text in code which could be picked up by an AWS SDK implementation.

If you are referring to other internal services such as EC2 instances or ECS services then you can restrict access using the correct network configuration and putting your function in a VPC.

Do you see any other possible attack vector?

It's hard to say for sure. I'd really advise against this completely without taking some professional (and likely paid and insured) advice. There are new attack vectors that can open up or be discovered daily and therefore any advice now may completely change tomorrow if a new vulnerability is discovered.

I think your best bets are:

  • Restrict the function timeout to be as low as phyisically possible (allowing for cold starts).
  • Minimise the IAM policy for the function as far as humanly possible. Careful with logging because I assume you'll want some logs but not allow someone to run GB's of data in to your CloudWatch logs.
  • Restrict the language used so you are using one language that you're very confident in and that you can audit easily.
  • Run the lambda in a private subnet in a VPC. You'll likely want a seperate routing table and you will need to audit your security groups and network ACL's closely.
  • Add alerts and VPC logs so you can be sure that a) if something does happen that shouldn't then it's logged and traceable and b) you are able to automatically get alerted on the problem and rectify it as soon as possible.
  • Consider who will be reviewing the code. Are they experienced and trained to spot attack vectors?
  • Seek paid, professional advice so you don't end up with security problems or very large bills from AWS.
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.