Loading...
Loading...
Compare original and translation side by side
| Risk | Read |
|---|---|
| SL1 Injection (Serverless) | references/sl01-injection.md |
| SL2 Broken Authentication (Serverless) | references/sl02-broken-auth.md |
| SL3 Sensitive Data Exposure (Serverless) | references/sl03-sensitive-data-exposure.md |
| SL4 XML External Entities (Serverless) | references/sl04-xxe.md |
| SL5 Broken Access Control (Serverless) | references/sl05-broken-access-control.md |
| SL6 Security Misconfiguration (Serverless) | references/sl06-misconfiguration.md |
| SL7 XSS (Serverless) | references/sl07-xss.md |
| SL8 Insecure Deserialization (Serverless) | references/sl08-insecure-deserialization.md |
| SL9 Using Components with Known Vulnerabilities (Serverless) | references/sl09-vulnerable-components.md |
| SL10 Insufficient Logging and Monitoring (Serverless) | references/sl10-logging-monitoring.md |
| 风险 | 查阅链接 |
|---|---|
| SL1 注入(无服务器场景) | references/sl01-injection.md |
| SL2 身份验证失效(无服务器场景) | references/sl02-broken-auth.md |
| SL3 敏感数据暴露(无服务器场景) | references/sl03-sensitive-data-exposure.md |
| SL4 XML外部实体(无服务器场景) | references/sl04-xxe.md |
| SL5 访问控制失效(无服务器场景) | references/sl05-broken-access-control.md |
| SL6 安全配置错误(无服务器场景) | references/sl06-misconfiguration.md |
| SL7 跨站脚本攻击(无服务器场景) | references/sl07-xss.md |
| SL8 不安全的反序列化(无服务器场景) | references/sl08-insecure-deserialization.md |
| SL9 使用存在已知漏洞的组件(无服务器场景) | references/sl09-vulnerable-components.md |
| SL10 日志与监控不足(无服务器场景) | references/sl10-logging-monitoring.md |
| Task | Approach |
|---|---|
| Prevent event injection | Validate/sanitize all event data (API Gateway, S3, SNS). See SL1. |
| Least privilege IAM | Scope function roles to exact resources needed. See SL5. |
| Manage secrets | Use Secrets Manager/Parameter Store, not env vars. See SL3. |
| Secure dependencies | Pin versions, scan for vulnerabilities. See SL9. |
| Enable logging | CloudWatch/X-Ray for all functions. See SL10. |
import json
def handler(event, context):
body = json.loads(event.get("body", "{}"))
user_id = body.get("user_id", "")
if not user_id.isalnum() or len(user_id) > 36:
return {"statusCode": 400, "body": "Invalid user_id"}
# Proceed with validated inputundefined| 任务 | 实现方法 |
|---|---|
| 防范事件注入 | 验证/清洗所有事件数据(API Gateway、S3、SNS)。查看SL1。 |
| 最小权限IAM | 将函数角色的权限范围限定为所需的精确资源。查看SL5。 |
| 密钥管理 | 使用Secrets Manager/Parameter Store,而非环境变量。查看SL3。 |
| 安全依赖管理 | 锁定版本,扫描漏洞。查看SL9。 |
| 启用日志 | 为所有函数配置CloudWatch/X-Ray。查看SL10。 |
import json
def handler(event, context):
body = json.loads(event.get("body", "{}"))
user_id = body.get("user_id", "")
if not user_id.isalnum() or len(user_id) > 36:
return {"statusCode": 400, "body": "Invalid user_id"}
# 使用验证后的输入继续处理undefined
**Unsafe - overly permissive IAM:**
```yaml
**不安全示例 - 过度宽松的IAM:**
```yamlundefinedundefined