Docker Bug Allows Root Access to Host File System

I’m not sure if it’s openly documented (I think it is, actually) but all of the serverless AWS offerings, namely Lambda and Fargate, spin up the infrastructure (EC2 instances) within your account’s partition; the underlying VM is not shared across accounts. In effect, there are no other customers running Fargate containers or Lambda functions within the same VM as your functions or containers (and thus there is also no risk beyond you running code on a plain EC2 instance). Your account will obviously share these (1 or more) hidden VMs for their own invocations.

As soon as you provision a single Lambda function, for example, a VM is permanently spun up and ready to execute any Lambda calls in your account (per region, of course).

Read more…

Leave a Reply