ALPS: Automated Least-Privilege Enforcement for Securing Serverless Functions
This addresses security risks in serverless environments for AI-driven workloads, offering a practical solution with incremental improvements in automation and vendor-agnostic support.
The paper tackled the problem of excessive privilege allocation and poor permission management in serverless computing by presenting ALPS, an automated framework that achieved 94.8% coverage for least-privilege extraction and improved security logic generation quality by up to 220% in evaluations on real-world functions.
Serverless computing is increasingly adopted for AI-driven workloads due to its automatic scaling and pay-as-you-go model. However, its function-based architecture creates significant security risks, including excessive privilege allocation and poor permission management. In this paper, we present ALPS, an automated framework for enforcing least privilege in serverless environments. Our system employs serverless-tailored static analysis to extract precise permission requirements from function code and a fine-tuned Large Language Model (LLM) to generate language- and vendor-specific security policies. It also performs real-time monitoring to block unauthorized access and adapt to policy or code changes, supporting heterogeneous cloud providers and programming languages. In an evaluation of 8,322 real-world functions across AWS, Google Cloud, and Azure, ALPS achieved 94.8\% coverage for least-privilege extraction, improved security logic generation quality by 220\% (BLEU), 124\% (ChrF++) and 100\% (ROUGE-2), and added minimum performance overhead. These results demonstrate that ALPS provides an effective, practical, and vendor-agnostic solution for securing serverless workloads.