Menu
I've been looking at implementing the aws_encryption_sdk in a lambda to deal with encrypted files that are uploaded into a s3 bucket.
I have been able to get it to work by downloading the file into the /tmp directory (giving the file a unique name), decrypting the file in the same directory and then uploading the decrypted file back into s3. I am also deleting the files in the system after the operation has completed, but before exiting the lambda
While using the file system is common use case, I have concerns around the use of the /tmp directory and its security.
Can anyone advise whether I should be concerned? How exclusive is the file system when you fire up Lambdas?
Thanks
849
asked May 07 '20 00:05
Lambda always encrypts files that you upload to Lambda, including deployment packages and layer archives. Amazon CloudWatch Logs and AWS X-Ray also encrypt data by default, and can be configured to use a customer managed key.
The /tmp directory provides a transient cache of data between invocations on the same Lambda worker instance. It's useful in cases where you need to unzip files or clone a Git repository as part of a Lambda invocation. However, the size of the /tmp directory was fixed at 512MB, which limited its usefulness.
Temporary storage with /tmp This space has a fixed size of 512 MB. The same Lambda execution environment may be reused by multiple Lambda invocations to optimize performance. The /tmp area is preserved for the lifetime of the execution environment and provides a transient cache for data between invocations.
It is somewhat safe to use /tmp in Lambda, meaning that your /tmp folder will not be shared with other AWS clients. At the same time:
/tmp is actually wiped. Since AWS Lambda doesn't provide low-level block access to the underlying disk, it's safe enough, but not military-grade. RAM memory is wiped:Lambda scrubs the memory before assigning it to an execution environment, which effectively guards against memory sharing between functions that belong to the same account and different customer accounts.
So for high-security applications, you might consider keeping your decrypted content in memory.
/tmp is not recreated/cleared on each Lambda invocation. Quite the opposite, if your Lambda runs several times in a short period of time the invocations will run in the same context and /tmp content will be preserved. That's a feature, not a bug.After a Lambda function is executed, AWS Lambda maintains the execution context for some time in anticipation of another Lambda function invocation.
Each execution context provides 512 MB of additional disk space in the /tmp directory. The directory content remains when the execution context is frozen, providing transient cache that can be used for multiple invocations. You can add extra code to check if the cache has the data that you stored.
If you really care about the security aspect of Lambda, I suggest you read Security Overview of AWS Lambda: An In-Depth Look at Lambda Security whitepaper.
125
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
