Cloud & Container Security · beginner · ~9 min

Cloud logging and serverless security

Explain cloud audit logging and the serverless security model.

Overview

Cloud audit logs (CloudTrail/Activity/Audit Logs) record every control-plane API call — the authoritative trail defenders use; disabled/uncentralized logging is a finding. Serverless removes host management but makes per-function IAM roles and untrusted event inputs the security focus.

Why it matters

Logging is the cloud's detection backbone, and attackers disable it early; over-privileged serverless function roles and untrusted event inputs are common modern findings. Both shape what you assess and recommend.

Core concepts

Control-plane logs. CloudTrail/Activity/Audit — who did what. Log findings. Disabled/uncentralized/tamperable; alert on sensitive actions. Serverless. Per-function IAM roles (least privilege), untrusted event inputs (injection), secrets/deps. Protect logging. Centralize, alert, restrict deletion.

Lesson

Two cloud-specific topics that round out the picture: visibility and the serverless model.

Cloud logging

Cloud platforms log control-plane activity — every API call (who did what, when) via services like CloudTrail (AWS), Azure Activity Log, GCP Audit Logs. This is the cloud's authoritative audit trail.

  • Defenders detect attacks (unusual API calls, new IAM grants, disabled logging) and build timelines.
  • Findings: logging disabled or not centralized, no alerting on sensitive actions, logs writable/deletable by the same accounts being audited. Attackers try to disable CloudTrail early — itself a logged, high-signal event.

Serverless (functions)

Serverless (Lambda, Cloud Functions) runs your code without managing servers. The security model shifts:

  • No host to patch, but each function has an IAM role — over-privileged function roles are a top issue.
  • Event-driven inputs (HTTP, queue, storage events) are untrusted — injection still applies.
  • Secrets in environment variables, dependencies (supply chain), and long timeouts/large permissions expand blast radius.
  • Defense: least-privilege per-function roles, input validation, secrets managers, minimal dependencies.

Takeaway

Cloud logging is the detection backbone (protect and centralize it); serverless removes host management but makes IAM and input handling even more central.

Summary

Cloud audit logging is the detection backbone — centralize and protect it — while serverless shifts the focus from hosts to least-privilege function roles and validating untrusted event inputs.

Practice with these exercises