As you have noticed, serverless computing has revolutionized how applications are built and deployed. AWS Lambda, one of the most widely adopted serverless platforms, enables developers to run code without provisioning or managing servers. It offers scalability, cost-efficiency, and rapid development cycles, but with these benefits come with new security challenges.
Unlike traditional applications, Lambda functions are ephemeral, event-driven, and often exposed via APIs or integrated into complex microservices architectures. This makes them attractive targets for attackers seeking to exploit misconfigurations, insecure endpoints, or vulnerable third-party dependencies. As organizations increasingly rely on Lambda for critical workloads, ensuring robust security becomes not just a best practice but a necessity.
This is where Fortinet’s security solutions, specifically FortiGate and FortiWeb, come into play. FortiGate, a next-generation firewall, provides deep packet inspection, threat intelligence, and secure connectivity. FortiWeb, a web application firewall (WAF), offers advanced protection against OWASP Top 10 threats, bot mitigation, and API security. Together, they form a powerful defense-in-depth strategy for safeguarding serverless applications.
In this blog, we’ll explore how to integrate FortiGate and FortiWeb into your AWS architecture to protect Lambda functions from external threats, unauthorized access, and data exfiltration. We’ll walk through:
Whether you're a cloud architect, security engineer, or DevOps practitioner, this guide will help you build a resilient and secure serverless infrastructure using proven enterprise-grade tools.
The following diagram shows how to protect your lambda functions using Fortinet products:
Here we have a parallel protection configuration to inspect inbound using FortiWeb in A/A high volume
mode and outbound traffic via FortiGate (can be deployed in A/P mode)
To achieve this configuration in this environment you can follow below steps:
Create your lambda function in AWS portal
In source code place below code:
**********************************************************************************************
def lambda_handler(event, context):
return {
"statusCode": 200,
"statusDescription": "200 OK",
"isBase64Encoded": False,
"headers": {
"Content-Type": "application/json"
},
"body": 'Cloud consulting private Lambda function!'
}
*********************************************************************************************
Click Deploy
Create an internal ALB with customized certificate
Create a target group
Import a certificate in ACM
To create a custom certificate using let´s encrypt for your domain please below instructions here: https://www.youtube.com/watch?v=7haN-Aghlso
Note: we used let’s encrypt for lab purposes
AWS Certificate Manager > Certificates
Click import
Click Import certificate
Create an internal Application Load Balancer
Click Create load balancer
In FortiWeb check connectivity to ALB
Create New server pool
Click OK then Create New
Select Domain then add private create in previous step ALB DNS name
Set Port to 443
Enable SSL
Select Advanced SSL settings, enable TLS 1.3 only for best cypher security
Click OK twice
Select Policy > Server Policy > Create New
Name: Lambda-policy
Virtual server: Virtual-server
Server Pool: lambda-alb
HTTPS Service: HTTPS
Select Certificate Type: Let’s Encrypt > Select certificate created according to below guide
Note: we used let’s encrypt for lab purposes
Select Web Protection Profile: test-wpp
Click OK
Now let’s create an external ALB for exposing our lambda API to internet
First let’s create a target group pointing to FortiWeb instances
EC2 > Target groups > Create target group
Choose target type to instances
Set name to: external-lambda-demo-tg
Set protocol to HTTPS and leave default port to 443
Set VPC where FortiWeb belongs to
Set Health checks to HTTPS
Click next
Register available instances
Click Include as pending below
Click Create target group
EC2 > Load balancers
Click Create load balancer
Click create in Application Load Balancer
Set name: elb-fortiweb-lambda
In Scheme section select Internet-facing
Select VPC where FortiWeb belongs to
Select proper Availability Zones and subnets and their corresponding public subnets
Select security group that allows port 443 from 0.0.0.0/0 (if not exists create a new one)
In Listeners and routing section set protocol to HTTPS
Select Forward to target groups in Routing action
In Target group select external-lambda-demo-tg created in previous step
In Secure listener settings leave by default
In Default SSL/TLS server certificate select From ACM in Certificate source, then select imported certificate
Next sections leave by default
Click Create load balancer
Copy DNS name to your DNS infrastructure set as a CNAME record
Wait until target group becomes healthy
Finally test in browser
Check Traffic logs in FortiWeb console
For outbound traffic inspections you can create a simple lambda function to gather title from a web site
This lambda function should have the following structure:
lambda_outbound/
─ lambda_function.py
─ requirements.txt
In lambda_function.py file place below code:
***********************************************************************************************
import requests
from bs4 import BeautifulSoup
def lambda_handler(event, context):
url = event.get("url", "https://www.python.org")
try:
response = requests.get(url)
response.raise_for_status()
soup = BeautifulSoup(response.text, 'html.parser')
title = soup.title.string if soup.title else "No title found"
return {
"url": url,
"title": title
}
except Exception as e:
return {
"error": str(e)
}
************************************************************************************************
In requirements.txt file place below code:
************************************************************************************************
requests
beautifulsoup4
************************************************************************************************
Copy files created previously then Install dependencies locally (in your computer)
mkdir lambda_outbound
cp lambda_function.py requirements.txt lambda_outbound
cd lambda_outbound
pip install -r requirements.txt -t .
Create a zip file to upload to lambda service
Uoload ZIP file to AWS Lambda
Go to lambda console in AWS console
Create a new function
Set name: lambda_outbound.
Select Python 3.13 as runtime.
In Additional configurations select enable then choose VPC and private subnets where lambda will run (take in account to have proper routing to FortiGate for outbound traffic inspections).
Click Create function
Now it’s time to upload our zip file created in previous steps
In code section of our lambda function click upload from .zip file select zip file
Upload ZIP file as source code.
Then create a test event with below code, then click save
{
"url": "https://www.fortinet.com"
}
In FortiGate create below firewall policy
Now switch back to lambda function console, then click test
The output shows below message
In FortiGate run diagnose sniffer packet any ‘net 10.10.2.0/24 and net 10.10.3.0/24’ 4 0 1
Note: Acording to private subnets in VPC take in account created network interfaces
Takeaways:
- Layered Security Architecture is Essential
Deploying FortiGate and FortiWeb in tandem provides a comprehensive security posture:
- FortiWeb acts as the first line of defense, filtering and inspecting inbound traffic at the application level offering deep application-layer protection.
- FortiGate, protection for outbound traffic offering improved controls to what URLs really need lambda functions access to.
- Cloud-Native Environments Require Tailored Protection:
In event-driven environments like AWS Lambda, it's crucial to:
- Lambda functions don’t run on dedicated servers, making it impossible to install traditional endpoint protection or host-based firewalls. Security must be enforced at the network and application layers, often before the function is even invoked
- Protect inbound application traffic with FortiWeb to mitigate layer 7 web-based threats.
- Lambda can be triggered by dozens of AWS services, each with its own security implications. Protecting these entry points requires visibility across the cloud ecosystem, not just at the function level.
- Together, they enable organizations to secure serverless workloads without compromising agility, ensuring that every invocation is protected, monitored, and compliant.
- Follow Best Practices and Official Guidance:
- Please note that this blog outlines several design options intended solely for validation and conceptual understanding. These examples are not meant for direct use in production environments. For real-world deployments, we strongly recommend that customers engage with our Cloud Consulting Services team to ensure proper design, configuration, and security alignment with organizational requirements and best practices. For more information you can check out the link below link:
https://www.fortinet.com/resources/security-consulting-services
Referencies:
AWS Lambda getting started: https://aws.amazon.com/lambda/getting-started/?trk=731294fb-c635-4fb6-9dbf-beac0d3b0f20&sc_channel=p...
Create custom certificate using let’s encrypt: https://www.youtube.com/watch?v=7haN-Aghlso
Create custom certificate in Fortiweb using let’s encrypt: https://community.fortinet.com/t5/FortiWeb/Technical-Tip-How-to-obtain-a-Let-s-Encrypt-SSL-for-a-dom...
FortiWeb admin guide: https://docs.fortinet.com/document/fortiweb/7.4.8/administration-guide/60895/introduction
FortiGate admin guide: https://docs.fortinet.com/document/fortigate/7.4.8/administration-guide/954635/getting-started
