Amazon EC2 VS AWS Lambda Security: What’s more secure?
I often get asked if EC2 is more secure than Lambda - and the answer is one is much easier to secure than the other, however they both share similar qualities.
First you need to understand the differences between EC2 and Lambda from an infrastructure perspective.
Amazon EC2 provides servers, called instances, as a service and you pay per minute or hour. As a customer of AWS you are responsible for configuring the instances, patching operating systems and applications, scanning for vulnerabilities, opening network access, and general upkeep.
AWS Lambda allows you to run your code without servers, or what is called serverless. Instead of running an operating system like an instance, you give Lambda your code and it runs it as a function. The function can be triggered by your API, and many other AWS services. AWS takes care of the operating system for you!
Patching is critical to running an instance securely, the operating system needs patching, and so does the software you run on it. For example, if you run Amazon Linux on EC2 as your operating system to run an Apache HTTP Server as your web server you will need to maintain patches to both the operating system and your web server application. At some stage the operating system will require an upgrade, or your instance might even require a full rebuild to get it to the latest version. With your instances you can use AWS Systems Manager Patch Manager to automate patching tasks.
With Lambda, AWS looks after the operating system for you so there is no patching or upgrades needed. You do need to ensure that any packages you use are patched and tested. Using the EC2 example of a web server, as lambda is based on functions and triggers you can’t run apache or a web server only using lambda. You can use other AWS services to serve your web site, like CloudFront to serve content from S3 - exactly how this web site works! Lambda can then be used as your compute on your web site, like image processing and even HTTP/HTTPS API using API Gateway. I remember when API Gateway was launched, it was a lightbulb moment that it can be used to integrate lambda functions with pretty much anything!
I like to whiteboard an architecture for pretty much every idea, like this web site, and have the AWS Well-Architected best practices in my mind. Also the goals, like the security and availability targets, and even the budget. Breaking down the components and how they interact, think about how they can be achieved with managed services like lambda over running your own like EC2 instances. Managed cloud services mean your cloud provider takes care of the hard work for you, and saves you time. You need to keep in mind the different cloud services that are available and their pros and cons; this comes with experience.
DDoS (Distributed Denial of Service) Attacks are unfortunately common on the internet. An EC2 instance exposed directly to the internet should be protected with a load balancer, and CloudFront with web application firewall. Lambda on the other hand does not accept incoming internet connections as you set how its triggered - much less work in securing from internet threats!
My go-to thinking pattern is if content needs to be served then S3 + CloudFront is go to - its incredibly secure, feature rich, serverless, and cost efficient. If I want to run an API then API Gateway + Lambda is also feature rich, serverless, and cost efficient. Can the task be broken down to a function, and triggered in some way, from something else happening or on a schedule? Keep in mind the limits and quotas; lambda has quotas for example 1,000 concurrent executions, and an execution timeout of 15 minutes. The key point is tie it back to your requirements, research, and experiment - you don’t know if it will work or not until you try it out!
EC2 and Lambda are completely different, the only thing they share is they can run your code. As Lambda manages the operating system for you, its a lot easier for you to secure. If its easy to secure, then you could easily argue that its more secure. The second you launch an EC2 instance it needs patching, and most likely other updates and care. Lambda on the other hand runs your code which you must ensure that libraries are updated and your code runs without issues. My advice is to investigate the managed cloud services that are available to you and experiment - Lambda may be for you!