Serverless promised automatic scaling, but not automatic trust. As organizations adopt internal FaaS offerings, they need isolation from untrusted tenant code, deterministic supply-chain controls, and continuous posture evaluation. The U.S. National Security Agency and CISA published hardening guidance in 2024, while engineering teams at iRobot, Amplitude, and Shopify shared their stories integrating Firecracker microVMs and Sigstore. This article condenses what we have implemented for Cloudythings clients into a zero-trust blueprint for serverless.
Define trust zones
We map workloads into zones:
- Trusted platform services (observability, billing).
- Customer/tenant workloads executing untrusted code.
- Security controls (policy enforcement, auditing).
Each zone has explicit ingress/egress rules, secrets scopes, and signing policies. Zero trust demands explicit intent—nothing communicates without policy.
Enforce signed workloads
All artifacts—functions, layers, container images—are signed via Sigstore or AWS Signer. Policies require:
- Keyless signing tied to CI workload identity.
- SLSA provenance linking build metadata.
- Attestations for vulnerability scans and test results.
Runtime admission controllers (Lambda Extensions, Knative Admission, custom Firecracker shims) verify signatures before execution. Unsigned workloads never run.
Isolate execution with microVMs
For untrusted code we run:
- Firecracker microVM-based runtimes (AWS Lambda style) with jailer enforcing seccomp, cgroups, and chroot.
- gVisor/Kata Containers for Kubernetes-based serverless (Knative, OpenFaaS).
- Per-tenant runtime classes mapped to dedicated node pools with hardened OS images (Bottlerocket, Talos).
Hardware-backed attestation (TPM, Nitro Enclaves) ensures hosts boot from signed images.
Micro-segment networking
Zero-trust networking includes:
- Service mesh (Istio, Linkerd) enforcing mutual TLS and per-route policies.
- Identity-aware proxies (SPIFFE/SPIRE) issuing short-lived certificates tied to workload identity.
- Egress gateways with allowlists; any new external dependency requires policy updates via Git PR.
We log every connection and analyze it with eBPF-powered tools (Cilium Hubble) for anomalies.
Continuous posture evaluation
Security posture changes rapidly. We automate:
- Runtime scanning (Aqua Trivy, Wiz) to ensure base images remain patched.
- Policy drift detection using OPA to compare desired vs. observed permissions.
- Credential hygiene with secret rotation pipelines and detection of long-lived tokens.
Findings feed into Backstage dashboards and trigger PagerDuty incidents if severity warrants.
Observability with guardrails
Zero trust is useless without visibility:
- OpenTelemetry instrumentation records request context, identity claims, and policy decisions.
- Audit logs capture function invocation metadata, signature verification results, and network policy evaluations.
- Behavioral analytics flag anomalies (code fetching unusual domains, spikes in errors).
Data retention policies respect compliance while keeping enough history for investigations.
Incident response integration
When a workload misbehaves:
- Automation isolates the tenant by revoking certificates and scaling to zero.
- Incident timelines link to invocation logs, signatures, and recent deployments.
- Forensics run inside sandboxed environments with read-only snapshots to avoid contamination.
Post-incident reviews evaluate whether policies need tightening, aligning with zero-trust maturity models from NIST SP 800-207.
Zero-trust serverless is achievable. By combining signed workloads, microVM isolation, and relentless observability, teams ship untrusted code quickly without compromising security or reliability.