Serverless computing now serves as a strategic backbone of modern cloud architectures, helping teams move faster and operate at scale. However, many still struggle to understand the security model of serverless computing. As more organizations migrate critical systems and sensitive data to the cloud using serverless architectures, this gap in serverless security knowledge increasingly exposes them to serious security incidents and data breaches.

This practical guide covers offensive and defensive security techniques to audit and secure serverless applications running on AWS, Azure, and Google Cloud. You’ll explore how to attack and defend vulnerable serverless applications using step-by-step instructions. By the end of this book, you’ll understand how to prevent various serverless application attacks and privilege escalation techniques.

• Identify and address vulnerabilities within modern serverless applications

• Dive deeper into serverless security risks and threats

• Explore privilege escalation techniques in vulnerable-by-design serverless lab environments

• Configure authentication and identity services properly on AWS, Azure, and Google Cloud

• Implement security strategies and best practices to prevent serverless application attacks

• Audit serverless function code using security tools and strategies

Table of Contents

Chapter 1. Introduction to Serverless Computing

Chapter 2. Understanding Serverless Architectures and Implementation Patterns

Chapter 3. Diving Deeper into Serverless Security Threats and Risks

Chapter 4. Exploiting and Securing Exposed AWS IAM Credentials

Chapter 5. Exploiting and Securing Misconfigured AWS IAM Roles

Chapter 6. Hacking Publicly Accessible AWS Lambda Functions

Chapter 7. Running and Securing Serverless Functions in a VPC

Chapter 8. Hacking and Securing Google Cloud Storage Buckets

Chapter 9. Abusing Google Cloud Storage Event Triggers with Malicious File Uploads

Chapter 10. Setting Up Backdoors and Escalating Privileges in Google Cloud

Chapter 11. Hacking and Securing Azure Functions

Chapter 12. Escalating Privileges in Microsoft Azure

Chapter 13. Analyzing, Auditing, and Securing Serverless Application Code

Praise for Learning Serverless Security

An exceptional gateway for aspiring serverless security practitioners. From high-level introductions to hands-on labs and deep dives, this book accelerates learning for non- IT beginners and advanced practitioners alike—making the following accessible to all: complex cybersecurity concepts, mitigations, and quite frankly, even hacking techniques!

—Jasper Riane D. Mendoza, senior solutions architect,

Worldwide Public Sector, Amazon Web Services This book is a must-have for DevSecOps professionals, application security engineers, and AppSec pentesters. Joshua addresses the current threats and vulnerabilities in serverless applications before delving deeper into exploiting them with practical attacks, such as privilege escalation and creating backdoors. He really knows how attackers think and how to secure your assets.

—Jay Turla, principal security researcher (automotive)

This book provides a deep, practical walkthrough of serverless security, from identity access misconfigurations and exposed functions to patterns and event-driven attacks. It’s an invaluable resource for engineers securing real-world workloads across major cloud platforms.

—Rafi Quisumbing, award-winning AWS Hero, Fractional CTO, and cloud advisor

As someone who has worked in academia, government, and industry, I consider this book a rare link between theory and practice and value the clarity it provides in demystifying serverless risks. Complex threats become understandable through practical insights.

—Mars Cacacho, cybersecurity senior manager, founder, Hackthenorth.ph

A great primer on serverless security. This book teaches you that protecting serverless apps is more than protecting your functions, cloud storage resources, and access keys. It shows you different ways attackers can compromise your cloud applications running on AWS, Google Cloud, and Azure.

—Raphael Jambalos, head of application modernization and security, eCloudValley Philippines

This book doesn’t just explain serverless security—it demonstrates it hands-on. By walking the reader through realistic attack paths and concrete mitigations, Learning Serverless Security equips engineers to think like both builders and attackers.

—Adelen Festin, software engineer

As AI coding tools accelerate serverless development, security becomes the critical differentiator. This book equips vibe coders, developers, security engineers, and architects with essential multi-cloud expertise to defend applications in the age of AI-assisted development.

—Jason Torres, founder, BetterGov.ph

Joshua provides essential hands-on training in serverless security across all major cloud platforms. The vulnerable-by-design labs brilliantly demonstrate both attack and defense techniques. This practical approach transforms security theory into actionable skills, a must-read for cloud architects and security professionals.

—Diwa “Wawi” del Mundo, founder of Apper Digital, Inc. (AWS Advanced Tier Services Partner, Google Cloud Partner)

A well-structured and timely guide to serverless security. The risk assessments and controls are practical, relevant, and easy to apply. This is a book that both experienced cybersecurity professionals and newcomers will benefit from.

—Felix Marasigan, security operations center - head, G-Xchange Inc. (GCash)

Finally, an excellent hands-on guide that tackles various security challenges of serverless applications across AWS, Azure, and Google Cloud! With tons of real-world examples, including steps to secure your AI-powered serverless apps, it is especially relevant in today’s AI-driven industry.

—Jon Bonso, CEO, Tutorials Dojo

Having worked with serverless technologies on AWS for five years, I was impressed that this book summarizes everything you need to know about serverless: architectural patterns, access controls, best practices, and even hacking.

—Seaver Choy, engineering director, First Mate Technologies

This book is a refreshing take on serverless security. It goes beyond the usual “secure your functions” narrative and instead examines the full picture of how identity, storage, networking, CI/CD, and application code come together in real serverless systems. It connects the dots across services and software layers, showing that security isn’t something you bolt into serverless functions, but something you design across the entire architecture. It’s practical, insightful, and grounded in how serverless actually works in production, not just how it’s marketed.

—Michael Angelo C. Rayco, global cloud solutions architect, International Rice Research Institute

About the Author

Joshua Arvin Lat is the CTO of NuWorks Interactive Labs, an AWS AI Hero, and author of several books on machine learning and cloud security. A global cybersecurity competition winner with senior leadership experience across multiple organizations, he’s internationally recognized for driving impact across AI, engineering, and security.