Recently Serverless architecture sceptics within the tech community came out in full force, in response to an Amazon Prime Video team publishing a blog post titled, "Scaling up the Prime Video audio/video monitoring service and reducing costs by 90%". Although the post was published a few months ago, the past week saw responses from some well known influencers, and as a result the fans of monolithic architecture have been on the offensive.
I originally started writing this post to cover all the reasons that Serverless Architecture is still my preferred option when building new services, but despite first hand experience helping to build cinch.co.uk, which is 100% built using Serverless and Event-Driven architecture, I wanted to try and keep the focus on security as much as possible.
When we work with Virtual Machines - Elastic Compute Cloud (EC2) - we need a plethora of AWS resources to support our infrastructure. This increases our responsibility as cloud customers under the shared responsibility model of AWS, and increases the attack surface area - a potential for increased risk. When we make a choice that more of our infrastructure is "in the cloud" and not "of the cloud", this comes with it's own costs that don't necessarily reflect in the AWS Billing dashboard. The extra layers under our control mean we need more security tooling and observability, which doesn't come cheap. Also, the workload of enabling teams and platform teams will increase.
When we work with Serverless Architecture in AWS we no doubt have a lot of the same concerns, however facets of risk are abstracted away, as more of the network becomes "of the cloud". With Serverless Architecture you can keep platform teams lean, you might not even need one at all, as the cognitive load for product teams is reduced significantly. We can take full advantage of the expertise of AWS to secure our infrastructure to the highest level. The increased capacity allows teams to take on more responsibility, and makes it easier for stream-aligned teams to own their security posture as the scope isn't as overwhelming.
Although I may be slightly bias, I am still in favour of EC2, ECS, Kubernetes, etc when they are the right tool for the job, but I'm a big believer in a Serverless-first mindset. Not everyone is building a Prime Video scale service that would benefit from a monolith, and not every company has the platform teams and enabling functions that Prime Video do to ensure their infrastructure is secure.
Within AWS, there are services such as Systems Manager which make OS patching and connecting to hosts easier and more secure, but with Lambda we simply don't need to care - it's not our responsibility. And although it's difficult to quantify, there is definitely value in that.
