CoursesAdvanced cloud securityPosture, compliance & workloads

Container & serverless workload security

Least-privilege roles, runtime controls, and image provenance.

Advanced35 min · lesson 14 of 15

Workloads are where identity, network, and posture meet the running code. A container or function that is compromised becomes whatever its cloud role allows, reaches whatever the network permits, and runs whatever made it into the image. Securing the workload means shrinking each of those to the minimum: a tight identity, a verified image, and a constrained runtime.

Least-privilege workload identity

Every workload should have its own cloud identity scoped to exactly the resources it uses — never a shared, broad node role that any pod can borrow. On Kubernetes this is IRSA (AWS) or Workload Identity (GKE/AKS): a service account maps to a cloud role via federation, so a compromised pod inherits only that one workload permission set, not the whole node. Pair a tight role with a hardened runtime — non-root user, read-only root filesystem, dropped capabilities — so a foothold has little to stand on.

a pod with its own scoped identity and hardened runtime
apiVersion: v1
kind: ServiceAccount
metadata:
name: report-svc
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::222222222222:role/report-svc # IRSA
---
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
serviceAccountName: report-svc # this workload's identity only
securityContext: { runAsNonRoot: true, seccompProfile: { type: RuntimeDefault } }
containers:
- name: app
image: registry.internal/report@sha256:9f2c... # pinned by digest
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities: { drop: ["ALL"] }

Provenance and runtime

Two more layers close the loop. Provenance: scan images for known vulnerabilities and require a valid signature at admission, so only images your pipeline built and signed can run — a pinned digest plus a verified cosign signature rejects tampered or unknown images. Runtime: behavioral monitoring detects the post-exploitation activity a static scan cannot see, like a shell spawning in a container that should never spawn one. For serverless the levers shift — no OS to patch, so the function role, its dependencies, and its input triggers become the whole attack surface.

Layers of workload security
identity
per-workload role
IRSA / Workload Identity, least privilege
supply chain
image scanning
block known CVEs
signature at admission
only signed, pinned images run
runtime
hardened context
non-root, read-only fs, drop caps
behavioral detection
catch post-exploitation activity
Identity caps what a compromise can reach, provenance controls what can run, runtime catches what gets in. Serverless swaps the OS layer for role + dependencies + triggers.
The function execution role is the serverless blast radius
A serverless function has no host to harden, so its power is almost entirely its IAM role. An over-broad execution role means a single vulnerable dependency or a crafted input becomes access to everything that role can touch. Scope every function role to the specific resources it uses, and keep its dependencies pinned and scanned.