Compute & Container Security Bundle

Lambda security, Amazon EKS security, and general container security (ECR/ECS/Fargate) — three compute models that share a common security pattern: identity for the workload, isolation of the runtime, and scanning of the artifact before it ever runs. The freshest material here is the IRSA-to-Pod-Identity transition and Lambda SnapStart's two specific, easily-missed security hazards.

Infrastructure Protection — primary role Identity — workload credentials Detective — image/runtime scanning

Pod Identity

EKS-recommended successor to IRSA

Java/Python/.NET

SnapStart-supported runtimes

scratch/distroless

Inspector enhanced scanning support

June 2025

Pod Identity cross-account role chaining

The Core Mental Model — Identity, Isolation, Inspection

Three Compute Models, One Repeating Security Pattern

AWS Lambda — security centers on the execution role (least-privilege IAM for what the function can touch), the execution environment lifecycle (Init/Invoke/Shutdown phases, and what happens when environments are reused or snapshotted), and code integrity (code signing to ensure only trusted code runs).
Amazon EKS — security centers on workload identity (Pod Identity vs IRSA — getting pods scoped AWS credentials without hardcoding them or over-granting via the node's own instance role), API server exposure (the cluster control plane is public by default), and network segmentation (Kubernetes network policies, VPC CNI).
Containers generally (ECR/ECS/Fargate) — security centers on the IMAGE (vulnerability scanning before and after deployment, signing for supply-chain integrity) and the RUNTIME (task/pod-level isolation, least-privilege task roles, GuardDuty Runtime Monitoring for behavioral detection once running).

⚠️ The Recurring Exam Theme

This domain tests three things repeatedly: (1) workload identity — do you know the CURRENT recommended mechanism (EKS Pod Identity over IRSA, Lambda execution roles scoped per-function) rather than the older "broad node/instance role for everything" anti-pattern, (2) artifact security — can you distinguish scanning an image AT REST in ECR from scanning a RUNNING container/task, and (3) Lambda's specific SnapStart hazards (stale secrets, repeated uniqueness) which are a newer, frequently-overlooked nuance.

Exam Domain Mapping

Domain	Where This Bundle Shows Up
Infrastructure Security	The centerpiece — execution roles, Pod Identity/IRSA, network policies, task/pod isolation
Identity & Access Management	Workload identity patterns — Lambda execution roles, EKS Pod Identity, ECS task roles, all building on temporary-credential principles from earlier modules
Data Protection	Secrets handling in Lambda init/invoke phases, encryption of Fargate ephemeral storage
Threat Detection & Incident Response	GuardDuty Runtime Monitoring for EKS/ECS/Fargate, Inspector container-to-workload mapping, image-to-container mapping

Decision Tree — Mental Model

Threat

Over-privileged compute identities (broad node roles, unscoped Lambda execution roles); vulnerable or malicious container images reaching production; exposed Kubernetes API servers; stale secrets reused across snapshotted Lambda environments

↓

Security Goal

Scope workload identity tightly per-function/per-pod/per-task, scan every image before and after deployment, and isolate runtimes from each other and from the host

↓

AWS Service

The Compute & Container Security Bundle

Lambda execution roles + code signing EKS Pod Identity / IRSA ECR image scanning (Inspector) GuardDuty Runtime Monitoring

↓

Implementation

Scope a dedicated execution/task/pod role per workload; enable ECR scanning and code signing; use Pod Identity for new EKS workloads; restrict the EKS API server endpoint; enable VPC endpoints for private ECR pulls.

↓

Monitoring

Inspector continuously rescans ECR images and maps them to running containers; GuardDuty Runtime Monitoring watches process/file/network behavior on EC2, ECS, EKS, and Fargate.

↓

Remediation

Rebuild/redeploy a flagged image, rotate compromised credentials surfaced via runtime findings, tighten an overly broad task/pod role identified via least-privilege review.

Final Summary

Must Memorize

EKS Pod Identity is now the AWS-recommended mechanism over IRSA for new workloads — simpler setup, no OIDC provider needed, supports cross-account role chaining (June 2025)
IRSA remains required for non-EKS Kubernetes (EKS Anywhere, self-managed, ROSA) and is still fully supported
Lambda SnapStart introduces TWO specific hazards: repeated uniqueness (frozen random values) and stale secrets (credentials frozen at snapshot time)
ECR image scanning happens AT REST (in the registry); GuardDuty Runtime Monitoring + Inspector container-to-workload mapping cover the RUNNING container — different layers, different tools
The EKS API server endpoint is PUBLIC by default — restricting/private-only access is a deliberate, must-know hardening step

Must Understand

Why a broad node instance role for EKS (vs Pod Identity/IRSA) violates least privilege — every pod on that node inherits the same permissions
The Init/Invoke/Shutdown Lambda execution environment lifecycle and what state persists/doesn't persist across reuse
The distinction triangle: Lambda execution role scoping vs EKS Pod Identity vs ECS/Fargate task roles — same underlying principle (scoped, temporary, per-workload credentials), different mechanisms

Can De-prioritize

Exact SnapStart latency percentage figures
Console UI navigation specifics
Full Kubernetes RBAC syntax beyond the security-relevant concepts

Exam appearance probability: HIGH

Core Services — Deep Dive

Lambda Execution Role & Environment Foundational

Execution roleThe IAM role Lambda assumes to run your function — should be scoped to exactly what THAT function needs, never a broad shared role across many functions

Execution environment lifecycleInit phase (download code, start runtime, run initialization code) → Invoke phase (handler runs) → Shutdown phase — environments are often REUSED across multiple invocations for performance

VPC placementOptional — places the function's ENI inside a VPC for private resource access, at the cost of added cold-start complexity unless using Hyperplane ENIs (current default)

Function URLsDirect HTTPS endpoints for a function — can be configured with IAM auth (default, recommended) or NONE (public, requires deliberate opt-in and careful consideration)

Code signing ensures only code signed by a trusted, designated source can be deployed to a function — preventing an attacker (or an unauthorized developer) from deploying unverified code, even if they have deploy permissions.
Environment reuse means anything cached in global/module-level scope (outside the handler) persists across invocations on the SAME environment — a common source of both performance optimization AND security bugs if secrets/state are mismanaged there.

Lambda SnapStart — Two Specific Security Hazards High — exam-fresh, easily missed

What SnapStart doesSnapshots the fully-initialized execution environment (memory + disk, via Firecracker microVM) after Init completes, then resumes new environments FROM that snapshot instead of repeating initialization — cutting cold-start latency dramatically

Supported runtimesJava (11/17/21), Python 3.12+ (GA), and .NET 8

Hazard 1 — Repeated uniquenessAny random values, unique IDs, or cryptographic seeds/nonces generated DURING initialization are captured in the snapshot and then REUSED IDENTICALLY across every environment resumed from it — leading to predictable UUIDs, repeated encryption nonces, or duplicate session tokens unless uniqueness is regenerated AFTER restore

Hazard 2 — Stale secretsSecrets/credentials retrieved DURING initialization are frozen into the snapshot. If the secret is rotated afterward, the function keeps using the STALE credential until the snapshot itself is refreshed

The fixMove secret retrieval to the INVOCATION phase (inside the handler, not at module/global init scope), or use a runtime hook (after-restore hook) to refresh secrets/regenerate uniqueness immediately after the snapshot is resumed

"Our SnapStart-enabled Lambda function keeps using an old database password even though we rotated it in Secrets Manager last week" → classic stale-secrets-from-snapshot symptom; the fix is moving retrieval to invoke-time or adding an after-restore hook.
"Multiple concurrent invocations of our SnapStart function are generating identical session tokens" → classic repeated-uniqueness symptom from values generated during Init being baked into the shared snapshot.

EKS Security Fundamentals Control plane + workload

API server endpointPUBLIC by default — anyone on the internet can attempt to authenticate against your cluster unless you restrict it to private-only or a defined CIDR allowlist

RBACKubernetes-native role-based access control governs what authenticated identities can do WITHIN the cluster — overly permissive RBAC bindings combined with a public endpoint is a documented, real-world attack pattern

Network policiesKubernetes-native or VPC CNI-enhanced network policies control pod-to-pod traffic WITHIN the cluster, providing the equivalent of security groups at the pod level

EKS Auto ModeA fully-managed infrastructure option reducing the operational/security surface customers must directly manage themselves

The anti-pattern to flag immediately: attaching a broad IAM policy to the WORKER NODE's instance profile so "every pod gets what it needs" — this grants every single pod scheduled on that node the SAME broad permissions, violating least privilege catastrophically. Pod Identity/IRSA exist specifically to avoid this.

EKS Pod Identity vs IRSA High — the central workload-identity distinction

IRSA (IAM Roles for Service Accounts)Introduced 2019. Built on OIDC federation — requires creating an OIDC identity provider per cluster and embedding the cluster's unique OIDC issuer URL into each IAM role's trust policy

EKS Pod IdentityIntroduced re:Invent 2023. An agent-based association model — an EKS Auth API plus a per-node agent pod provides credentials, with NO OIDC provider setup and NO embedded issuer URL needed in the trust policy

Why Pod Identity is now recommendedSimpler trust policies (just trust the pods.eks.amazonaws.com service principal), centralized visibility via ListPodIdentityAssociations, faster role changes with NO pod restart required, and native support for session tags enabling ABAC

Cross-account role chaining (June 2025)A new targetRoleArn parameter (alongside the existing roleArn) lets a Pod Identity association automatically chain into a role in a DIFFERENT AWS account — when both are specified, EKS performs the role-chaining automatically

Security boundary granularityBoth IRSA and Pod Identity scope credentials at the SERVICE ACCOUNT level, not the individual pod level — multiple pods using the same service account share the same associated role

When IRSA is still required, not just "still supported": non-EKS Kubernetes deployments (EKS Anywhere, self-managed K8s on EC2, Red Hat OpenShift Service on AWS/ROSA) — Pod Identity is an EKS-specific feature and doesn't extend to these environments. Also required for EKS clusters on Kubernetes versions older than 1.24 (Pod Identity's minimum version).
A real-world historical constraint solved by Pod Identity: IRSA trust policies have a 4096-character hard limit, which used to cap how many clusters could share a single role (e.g., roughly 12 clusters max for some integration patterns) — Pod Identity removes this constraint since trust boundaries are managed via association APIs, not embedded per-cluster OIDC conditions.
"We're a cluster administrator without IAM admin permissions, and coordinating with the IAM team just to create an OIDC provider is slowing us down" → exactly the friction Pod Identity was built to eliminate.

Container Security — Images & Runtime ECR, ECS, Fargate

ECR basic scanningAWS native basic scanning (GA, recommended, default for new registries) checks images against a CVE database; the older Clair-based basic scanning is deprecated, with regional support ending October 1, 2025

ECR enhanced scanningPowered by Amazon Inspector — continuous rescanning (not just at push time), broader OS support, and since March 2025, explicit support for minimal base images: scratch, distroless, and Chainguard images

Image-to-container mappingInspector can show which ECR images are ACTUALLY running in live containers and how widely deployed they are — letting teams prioritize remediation by real exposure, not just registry presence

Image signingCryptographically verifying that the image about to run is the SAME image that passed CI/CD security checks — without it, a compromised registry or pipeline could inject a malicious image with no detection at deploy time

GuardDuty Runtime MonitoringCovers EC2, ECS, EKS, and Fargate — a lightweight agent analyzes on-host behavior (process execution, file access, network connections) to catch privilege escalation, exposed-credential use, and malware presence

Fargate-specificEphemeral storage (20 GiB default, up to 200 GiB) is encrypted by default using an AES-256 key managed by Fargate, or customer-managed KMS keys for additional control

The at-rest vs running distinction is the core exam test here: ECR scanning only covers images STORED in ECR repositories. Once deployed, Inspector separately assesses RUNNING containers on ECS/EKS/Fargate for vulnerabilities — and this running-container assessment works regardless of which registry the image originally came from (not ECR-exclusive).
Restricting ECR pulls to only succeed from within your VPC (via VPC endpoint condition keys like aws:sourceVpce on the repository policy) means even a compromised IAM credential with pull permissions can't exfiltrate the image from outside your network — a meaningful blast-radius reduction.

AWS Exam Thinking

Requirement → Keywords → Expected Answer → why every distractor fails.

Grant a new EKS workload scoped AWS permissions, with the simplest setup and no OIDC provider configuration needed

new EKS workloadsimplest setupno OIDC config

Expected Answer

EKS Pod Identity

Distractor	Why it's wrong
IRSA	Requires creating/managing an OIDC provider and embedding the cluster's issuer URL into the role trust policy — more setup overhead than the question calls for
Broad node instance role	Grants every pod on the node the same permissions, violating least privilege

Grant scoped AWS permissions to a workload on a self-managed Kubernetes cluster on EC2 (not EKS)

self-managed Kubernetesnot EKS

Expected Answer

IRSA

Distractor	Why it's wrong
EKS Pod Identity	EKS-specific feature, requiring the EKS Pod Identity Agent add-on and EKS Auth API — does not extend to self-managed Kubernetes

A SnapStart-enabled Lambda function continues using a database password after it was rotated in Secrets Manager

SnapStartstale credentialrotated secret not picked up

Expected Answer

Move secret retrieval to invocation phase, or add an after-restore runtime hook to refresh it

Distractor	Why it's wrong
Disable Secrets Manager rotation	Removes the security benefit of rotation entirely instead of fixing the actual root cause (the secret being frozen into the snapshot)
Increase the function's memory allocation	Unrelated to the snapshot/secret-staleness mechanism causing the symptom

Determine if a vulnerable ECR image is actually deployed and running anywhere right now

actually runningdeployment exposure

Expected Answer

Inspector image-to-container mapping

Distractor	Why it's wrong
ECR basic/enhanced scanning alone	Tells you the image HAS a vulnerability, not whether/where it's currently deployed and running — that's the mapping capability's specific job

Ensure even a compromised IAM credential with ECR pull permissions can't exfiltrate an image from outside the corporate network

restrict pull to VPCblast radius reduction

Expected Answer

ECR repository policy with a VPC endpoint condition key (aws:sourceVpce)

Distractor	Why it's wrong
IAM policy restricting ecr:BatchGetImage alone, without the VPC condition	Still allows the pull from anywhere if the credential itself is valid — the VPC source condition is what specifically blocks pulls from outside the network

Integrations

Amazon Inspector

WhatPowers ECR enhanced scanning, assesses running containers on ECS/EKS/Fargate, and provides image-to-container mapping

Amazon GuardDuty

WhatRuntime Monitoring covers EC2, ECS, EKS, and Fargate via a lightweight agent; Lambda Protection analyzes function network activity

AWS Secrets Manager

WhatSource of credentials Lambda functions retrieve — critical to retrieve at invoke-time (not init-time) for SnapStart-enabled functions to avoid staleness

AWS Security Hub

WhatAggregates findings from ECS/ECR security checks (e.g. "Fargate services should run on the latest platform version") alongside Inspector and GuardDuty findings, supporting EventBridge-triggered automated remediation

AWS Organizations / IAM Identity Center

WhatEKS Pod Identity's cross-account role chaining builds on the same temporary-credential, OIDC-adjacent federation principles covered in the Identity Federation bundle

VPC Endpoints

WhatEnable private ECR pulls without internet/NAT exposure, and support repository policy conditions restricting pulls to only originate from within the VPC

Costs, Limits & Quotas

Pricing Model

LambdaPay per invocation + duration (GB-seconds); SnapStart has no additional charge for snapshot storage on supported runtimes

EKSPer-cluster hourly charge, plus underlying EC2/Fargate compute costs for worker capacity

ECRStorage per GB-month, plus data transfer; basic scanning is free, enhanced (Inspector-powered) scanning is billed per image scanned

GuardDuty Runtime MonitoringPriced per vCPU-hour of monitored compute, consistent with the GuardDuty module's general pricing pattern

Common Cost Mistakes

Leaving Lambda functions without SnapStart on latency-sensitive Java workloads, paying the cold-start cost in both performance and (indirectly) duration-based billing unnecessarily
Enabling ECR enhanced scanning broadly across every repository, including ones with low-risk or rarely-deployed images, instead of prioritizing by actual deployment exposure
Running redundant IRSA AND Pod Identity configurations for the same workload during a slow, incomplete migration

Cost Optimization

Use SnapStart for latency-sensitive Java/Python/.NET functions where cold-start cost is meaningful, at no additional snapshot-storage charge
Prioritize ECR enhanced scanning and image-to-container mapping review on images with confirmed running deployments rather than the full registry
Complete IRSA-to-Pod-Identity migrations rather than running both indefinitely, simplifying both cost tracking and security review

Limits & Quotas

SnapStart runtime supportJava 11/17/21, Python 3.12+, .NET 8 — not universal across all Lambda runtimes

SnapStart snapshot expiryAfter 14 days without invocation, the function version becomes inactive and the snapshot is deleted; next invocation re-initializes from scratch

IRSA trust policy limit4096-character hard limit historically constrained how many clusters could share a single IAM role via embedded OIDC conditions

Pod Identity minimum versionRequires EKS clusters on Kubernetes 1.24 or later

Fargate ephemeral storage20 GiB default, up to 200 GiB maximum via the ephemeralStorage task definition parameter

⚠️ Exam trap

SnapStart's security boundary for credentials is at the EXECUTION ENVIRONMENT/SNAPSHOT level, not per-invocation — meaning a vulnerability isn't about the SnapStart feature being insecure per se, but about a developer's INITIALIZATION-PHASE CODE accidentally baking stale or non-unique values into something that gets reused across many invocations.

Best Practices & Common Exam Traps

8 — Best Practices

Must Know

EKS Pod Identity is the recommended successor to IRSA for new workloads; IRSA remains required for non-EKS Kubernetes
SnapStart's two hazards: repeated uniqueness and stale secrets — fix by moving sensitive/unique generation to invoke-time or an after-restore hook
ECR scanning (at rest) ≠ Inspector running-container assessment ≠ GuardDuty Runtime Monitoring (behavioral) — three different layers
EKS API server endpoint is public by default — restrict deliberately
Never attach broad permissions to an EKS node's instance role for "all pods to share"

Good Practice

Scope a dedicated execution/task/pod role per workload, never shared broadly
Enable ECR enhanced scanning (Inspector-powered) for continuous rescanning, not just at-push checks
Use code signing for Lambda to ensure only verified code is ever deployed
Migrate IRSA workloads to Pod Identity where the cluster/Kubernetes version supports it

Advanced Practice

Use Pod Identity's cross-account role chaining (targetRoleArn) for multi-account EKS architectures instead of manual cross-account trust wiring
Restrict ECR repository policies with VPC endpoint source conditions to reduce credential-theft blast radius
Use Inspector's image-to-container mapping to prioritize remediation by actual deployment exposure, not registry presence alone
Use Pod Identity session tags for ABAC-driven, attribute-based pod permission scoping at scale

9 — Common Exam Traps

Misconception	Reality
"IRSA is deprecated now that Pod Identity exists"	False — IRSA remains fully supported and is REQUIRED for non-EKS Kubernetes deployments and older cluster versions; Pod Identity is the recommended choice for NEW EKS-specific workloads, not a forced migration
"SnapStart is insecure and shouldn't be used for functions handling secrets"	SnapStart itself isn't insecure — the risk is specific, avoidable developer patterns (retrieving secrets at init-time instead of invoke-time); proper handling fully mitigates both hazards
"ECR image scanning covers a container for its entire runtime lifecycle automatically"	Basic at-push scanning is a point-in-time check; enhanced scanning continuously rescans the IMAGE in the registry, but assessing the RUNNING container is a separate Inspector capability
"The EKS API server is private by default, like most managed AWS service endpoints"	False — it is PUBLIC by default and must be deliberately restricted
"A broad IAM role on the EKS worker node is fine since it's just for infrastructure-level access"	It grants every pod scheduled on that node the same permissions — a major least-privilege violation, not an acceptable infrastructure-only shortcut

Lookalike Comparisons

Comparison	What actually differs
EKS Pod Identity vs IRSA	Agent-based, no OIDC provider, simpler trust policy, cross-account role chaining vs OIDC-federation-based, per-cluster issuer setup, required for non-EKS Kubernetes
ECR basic scanning vs enhanced scanning	Free, CVE-database point-in-time check vs Inspector-powered, continuous rescanning, broader OS/minimal-base-image support, billed per image
ECR scanning vs Inspector running-container assessment vs GuardDuty Runtime Monitoring	Image at rest in the registry vs running container's known vulnerabilities vs running container's BEHAVIORAL/process activity — three distinct layers of the same lifecycle
Lambda execution role vs Lambda code signing	Controls what AWS resources the function can access vs controls whether the deployed CODE itself is trusted/verified — permission scope vs code integrity
SnapStart init-phase retrieval vs invoke-phase retrieval (for secrets)	Frozen into the snapshot, reused stale across all resumed environments vs fetched fresh on every actual invocation — the single most important SnapStart security decision

Flashcards — 16 Cards

Click card to flip. Mark right or wrong to track score.

Click to reveal answer

1 / 16

Mark: Score: 0/0

Practice Quiz — 9 Questions

SCS-C02 scenario style, Easy → Specialty. Select an answer to reveal the explanation.

out of 9 correct