Yes, CIS Benchmarks apply to serverless computing, and several major cloud providers—including AWS and Microsoft—have published CIS Benchmark profiles specifically for AWS Lambda and Azure Functions. These benchmarks define hardened configuration baselines for function permissions, runtime environments, logging, secrets management, and network access controls in serverless architectures. As serverless adoption grows in enterprise environments, applying CIS Benchmarks to these services is becoming a standard requirement under compliance frameworks such as NIST 800-53, PCI DSS, and FedRAMP.
Serverless computing introduces a fundamentally different security model than traditional infrastructure. There is no operating system to patch, no host-based firewall to configure, and often no persistent runtime to scan. Yet the attack surface remains significant: over-privileged execution roles, insecure environment variables, unchecked third-party dependencies, and misconfigured triggers can all lead to compromise. CIS Benchmarks address these risks by providing prescriptive, auditable configuration checks that map directly to CIS Controls v8.
Why CIS Benchmarks Matter for Serverless
Serverless functions are not immutable by default. Their configuration—IAM policies, environment variables, concurrency limits, VPC attachments, logging settings—is mutable and frequently drifts from security baselines during development cycles. Without a formal benchmarking process, organizations risk deploying functions that violate internal security policies and regulatory requirements.
CIS Benchmarks for serverless services provide a standardized set of hardening rules that can be assessed automatically. These benchmarks cover:
- Identity and access management for function execution roles
- Encryption of data at rest and in transit within the function runtime
- Secrets storage and environment variable protection
- Logging, monitoring, and alerting configurations
- Network security group and VPC configurations
- Dependency and runtime version management
For enterprises operating under compliance frameworks like PCI DSS or HIPAA, the ability to demonstrate continuous compliance with a recognized benchmark is often a contractual or regulatory obligation. Using an automated CIS Benchmarking Tool like CyberSilo's enables teams to assess serverless functions against these benchmarks at scale, track remediation, and generate audit-ready reports.
CIS Benchmark for AWS Lambda
The CIS AWS Foundations Benchmark includes a dedicated section for AWS Lambda as part of its broader AWS service coverage. As of the CIS AWS Foundations Benchmark v3.0, Lambda-specific recommendations address the most common misconfiguration vectors in serverless deployments on AWS.
IAM and Permissions
The most critical Lambda hardening category concerns the execution role. Lambda functions inherit the permissions of their associated IAM role, and overly permissive roles are the leading cause of serverless data exposure incidents. The CIS Benchmark recommends:
- Lambda execution roles should follow the principle of least privilege, granting only the specific permissions required for the function's task
- Functions should not use a shared execution role; each function should have a dedicated role scoped to its resource access needs
- Resource-based policies on Lambda functions should restrict invocation to only authorized principals and services
CIS Control v8 Mapping: Lambda IAM controls map directly to CIS Control v8 Safeguard 6.8 (Define and Maintain Role-Based Access Control) and Safeguard 3.3 (Configure Data Access Control Lists). Failure to scope Lambda permissions is one of the most common findings in automated CIS assessments.
Environment Variables and Secrets
AWS Lambda supports environment variables that can store configuration data, but these are not encrypted by default in transit or at rest unless explicitly configured. The CIS Benchmark mandates:
- Lambda environment variables must be encrypted using AWS KMS with a customer-managed key
- Sensitive values (API keys, database credentials) should not be stored directly in environment variables; instead, use AWS Secrets Manager or Parameter Store with secure access policies
- Environment variable encryption must be enforced at the function level, not inherited from a default service key
Logging and Monitoring
Visibility into function execution is a core requirement for both security operations and compliance auditing. The CIS Benchmark requires:
- Lambda functions must be configured to send logs to Amazon CloudWatch Logs
- CloudWatch Logs must use a KMS customer-managed key for log group encryption
- Lambda functions must have a minimum reserved concurrency of 1 to prevent throttling during security investigations
- Dead-letter queues (DLQs) should be configured for asynchronous invocations to capture failed events
Network Security
Lambda functions can be configured to access resources within a VPC, but this introduces additional attack surface. The CIS Benchmark addresses this with checks for:
- VPC-based Lambda functions should not have direct internet access unless explicitly required; use a NAT gateway or VPC endpoints for controlled egress
- Security groups attached to Lambda functions should follow least-privilege rules, restricting inbound and outbound traffic to necessary ports and CIDR blocks
- Lambda functions in a VPC should use multiple subnets across different Availability Zones for redundancy
Runtime and Dependencies
Serverless functions execute within managed runtimes that receive regular updates. Failure to update runtime versions introduces known vulnerabilities. The CIS Benchmark requires:
- Lambda functions must use the most recent supported runtime version for their language (Python 3.12+, Node.js 20.x+, etc.)
- Deprecated or end-of-life runtimes must be migrated before they reach end of support
- Third-party dependencies should be scanned for known vulnerabilities as part of the CI/CD pipeline
CIS Benchmark for Azure Functions
Microsoft's Azure Functions are covered under the CIS Microsoft Azure Foundations Benchmark, which includes function app-specific recommendations across multiple categories. The benchmark targets versions 3.x and 4.x of the Azure Functions runtime and applies to both consumption plan and premium plan deployments.
Authentication and Authorization
Azure Functions support multiple authentication providers, and misconfiguration in this area is a high-severity risk. The CIS Benchmark recommends:
- Azure Functions must enforce authentication for all HTTP-triggered functions; anonymous access is prohibited except where explicitly justified
- Function app authentication should use Azure Active Directory as the primary identity provider
- EasyAuth (App Service Authentication) must be enabled and configured with a minimum token expiration of 8 hours
Networking and Access Restrictions
Unlike AWS Lambda, Azure Functions are hosted within an App Service plan, which introduces additional network configuration options. The benchmark covers:
- Function apps should use access restrictions to limit inbound traffic to only authorized IP ranges or virtual networks
- Functions handling sensitive data must be deployed in an App Service Environment (ASE) or use VNet integration
- FTPS must be disabled unless required for legacy deployment scenarios
- Remote debugging must be disabled in production function apps
Data Protection
Data protection controls for Azure Functions span both application settings and runtime data. The benchmark mandates:
- Function app settings must use Azure Key Vault references instead of storing secrets directly in application settings
- "HTTPS Only" must be enabled for all function apps
- Minimum TLS version must be set to 1.2
- Client certificates (incoming) must be enabled for functions exposed to external traffic
Logging and Monitoring
Azure Functions diagnostic logging is configurable at the function app level. The CIS Benchmark requires:
- Application Insights must be enabled for all function apps in production
- Diagnostic logs must be sent to a Log Analytics workspace with a retention period of at least 365 days
- Function app metrics must be configured to alert on HTTP 5xx errors and execution timeouts
Compliance and Runtime
Runtime management and compliance tracking are integrated into the benchmark through the following controls:
- Function apps must use the most recent supported runtime version
- Deprecated runtime versions (e.g., v1.x) must be migrated to v4.x before end-of-life
- Function app resource locks must be applied to prevent accidental deletion of production resources
Common Weaknesses in Serverless Benchmarking
Organizations that assess serverless functions against CIS Benchmarks often encounter repeatable failure patterns. The most common findings across both AWS Lambda and Azure Functions deployments include:
These findings are not unusual. In fact, enterprise security teams running their first serverless benchmark assessment typically see non-compliance rates of 40–60% across all applicable controls. The gap between development convenience and security hardening is significant in serverless environments because the infrastructure is abstracted away, creating a false sense of inherent security.
Automation and Remediation Strategies
Manual assessment of serverless function configurations is impractical beyond small deployments. Organizations running hundreds or thousands of functions require automated benchmarking that integrates into their CI/CD pipelines and cloud management platforms.
Infrastructure-as-Code Scanning
Serverless functions are typically deployed through Infrastructure-as-Code (IaC) templates such as AWS CloudFormation, Azure Resource Manager (ARM) templates, Terraform, or the Serverless Application Model (SAM). CIS Benchmark checks can be applied at the IaC stage to prevent non-compliant configurations from reaching production. Tools like CyberSilo's CIS Benchmarking Tool evaluate Terraform and CloudFormation templates against the relevant CIS Benchmark profiles before deployment.
Runtime Policy Enforcement
Even with IaC validation, configuration drift can occur through manual changes or automated updates. Runtime policy enforcement using cloud-native services like AWS Config or Azure Policy can detect and alert on drift from CIS Benchmark baselines. For example:
- AWS Config rules can evaluate Lambda function settings against CIS Benchmark recommendations and trigger auto-remediation via Systems Manager Automation
- Azure Policy built-in definitions for Function Apps can enforce HTTPS-only, minimum TLS version, and authentication requirements
Continuous Assessment Pipelines
For enterprises requiring continuous compliance, serverless functions should be scanned on a recurring basis—not just at deployment time. CyberSilo's CIS Benchmarking Tool supports scheduled assessments that inventory all functions across AWS and Azure accounts, run the full CIS benchmark control set, score each function individually, and generate remediation tickets in existing workflows. This approach ensures that compliance is maintained as functions are updated, re-deployed, or reconfigured.
Implementing CIS Benchmarks for Serverless: A Step-by-Step Approach
Inventory All Serverless Functions
Before any benchmarking can occur, you must have a complete inventory of all serverless functions across your cloud environments. Use cloud-native resource explorers (AWS Lambda console, Azure Functions blade) or a multi-cloud asset management tool to discover all functions, including those in development, staging, and production accounts. Pay special attention to functions deployed outside your primary IaC pipeline—these are often the source of non-compliance.
Map Functions to Business Criticality
Not all functions require the same level of hardening. Classify functions based on data sensitivity, network exposure, and integration with critical systems. Functions handling PII, PHI, or financial data should be prioritized for full CIS Benchmark compliance. Internal utility functions may be subject to a reduced control set aligned with CIS Implementation Group 1 (IG1).
Define Your Baseline Profile
Select the appropriate CIS Benchmark profile for each cloud provider (CIS AWS Foundations Benchmark, CIS Microsoft Azure Foundations Benchmark). Identify which controls apply to serverless functions specifically and which are environment-wide (e.g., logging aggregation, encryption standards). Document any exceptions that require formal risk acceptance from your security team.
Run Your First Automated Assessment
Deploy a top 10 CIS benchmarking tools platform such as CyberSilo's CIS Benchmarking Tool to run the initial assessment. The tool should scan all identified functions, report pass/fail status for each control, and calculate a hardening score for each function. Baseline your current compliance posture before starting any remediation work.
Remediate by Priority
Address findings based on risk severity. Critical findings—over-privileged roles, public endpoints, unencrypted secrets—should be remediated within 24–48 hours. Medium-severity findings like runtime version updates can be scheduled into the next sprint. High-severity findings should follow your organization's standard vulnerability management SLA, typically 7–14 days.
Integrate Benchmarking Into CI/CD
Add automated CIS Benchmark scanning to your deployment pipelines. Any new or updated function that fails critical controls should block the deployment. For non-blocking findings, generate automated tickets in your issue tracker (Jira, ServiceNow) with the specific control ID, current value, and required remediation steps.
CIS Benchmarks vs. Self-Built Baselines
Some organizations attempt to create their own serverless hardening guidelines instead of adopting CIS Benchmarks. While internal baselines can address organization-specific requirements, they lack several critical properties that make CIS Benchmarks the preferred choice for compliance-driven environments:
For organizations subject to FedRAMP, PCI DSS, or HIPAA audits, CIS Benchmarks provide an accepted, defensible standard. Auditors are familiar with the control framework and can validate findings against published benchmark documentation. Self-built baselines require extensive documentation and justification, often extending audit cycles by weeks.
Challenges Specific to Serverless Benchmarking
Serverless benchmarking presents unique challenges not encountered with traditional server or container workloads:
Ephemeral runtimes: Functions may only exist for seconds during execution, making runtime-only assessment tools ineffective. Benchmarking must occur at deployment time or through configuration assessment rather than runtime scanning.
Shared responsibility complexity: Some benchmark controls address cloud provider responsibilities (runtime security, infrastructure hardening) that the customer cannot directly verify. Organizations must rely on provider attestations (SOC 2, FedRAMP) for these layers.
Rapid iteration cycles: Serverless functions are often updated multiple times per day. A point-in-time benchmark assessment may be outdated within hours. Continuous assessment pipelines are essential for maintaining compliance.
Cross-service dependencies: A single function may interact with dozens of other services (queues, databases, API gateways, event sources). Hardening the function alone is insufficient if dependencies lack their own security baselines.
Automate Serverless CIS Benchmark Assessment at Scale
CyberSilo's CIS Benchmarking Tool supports automated assessment of AWS Lambda and Azure Functions against the latest CIS Benchmark profiles. Schedule continuous scans, track hardening scores, and generate auditor-ready reports without manual effort.
The Future of Serverless Benchmarking
CIS Benchmarks for serverless are evolving as cloud providers release new capabilities. Several trends are shaping the next generation of serverless benchmarking:
Zero-trust alignment: Future benchmark updates will align more closely with zero-trust principles, requiring functions to authenticate every request, encrypt all data in transit, and maintain session-level access controls rather than relying solely on IAM roles.
Supply chain security: As software supply chain attacks increase, CIS Benchmarks are expected to add controls for third-party dependency verification, function signature validation, and provenance tracking for deployment artifacts.
Multi-cloud standardization: Enterprises running serverless functions across AWS, Azure, and GCP need consistent baselines across providers. CIS is working toward cross-cloud benchmark profiles that harmonize controls where possible while respecting provider-specific implementation differences.
AI-generated function assessment: With the rise of AI-assisted code generation, benchmarks will need to address security risks introduced by AI-generated function code, including hidden dependencies, insecure data handling, and logic flaws that bypass traditional controls.
Serverless Compliance Under Major Frameworks
CIS Benchmarks for serverless serve as a foundation for compliance with multiple regulatory and industry frameworks. The mapping between CIS controls and framework requirements is well established:
Organizations should not assume that serverless deployments are automatically compliant because the cloud provider manages the underlying infrastructure. The shared responsibility model clearly places configuration security—including function permissions, data protection, and access controls—on the customer. CIS Benchmarks provide the most efficient path to demonstrating due diligence in these areas.
Our Conclusion & Recommendation
CIS Benchmarks for serverless computing—specifically for AWS Lambda and Azure Functions—are not optional for enterprises operating under compliance requirements. The benchmarks provide prescriptive, auditor-accepted controls that address the unique attack surface of serverless architectures: over-privileged roles, unencrypted secrets, deprecated runtimes, and missing logging. When implemented through automated assessment tools, these benchmarks close the gap between development velocity and security compliance without introducing friction into deployment pipelines.
For organizations managing serverless functions at scale, manual benchmarking is unsustainable. CyberSilo's CIS Benchmarking Tool provides automated assessment, scoring, and remediation tracking for AWS Lambda and Azure Functions against the latest CIS Benchmark profiles. The platform integrates with existing CI/CD pipelines, cloud management consoles, and compliance reporting systems, enabling continuous compliance without manual overhead. We recommend evaluating the tool against your current serverless inventory to baseline your compliance posture and prioritize remediation of critical findings.
Ready to Automate Your Serverless Security Baselines?
Schedule a demonstration to see how CyberSilo's CIS Benchmarking Tool assesses AWS Lambda and Azure Functions against CIS Benchmarks in minutes, not days.
