Serverless functions are deployed with excessive permissions, overly long timeouts, large memory allocations, or insufficient input validation, creating security risks.
An attacker could exploit misconfigured functions to access unauthorized resources, exfiltrate data, incur excessive costs, or use the function's elevated permissions for lateral movement.
Apply least-privilege IAM roles to each function. Set appropriate timeout and memory limits. Validate and sanitize all function inputs. Implement monitoring and alerting for abnormal function behavior. Store secrets in secure vaults, not environment variables.