ALPS: Automated Least-Privilege Enforcement for Securing Serverless Functions

TL;DR

ALPS is an automated framework that enhances security in serverless computing by enforcing least privilege through static analysis, language-specific policy generation, and real-time monitoring across multiple cloud providers.

Contribution

ALPS introduces a novel, automated, and vendor-agnostic approach combining static analysis and large language models for least-privilege enforcement in serverless environments.

Findings

Achieved 94.8% permission coverage in real-world functions

Improved security policy quality by over 200% in BLEU, ChrF++, and ROUGE-2 metrics

Maintains minimal performance overhead

Abstract

Serverless computing is increasingly adopted for AI-driven workloads due to its automatic scaling and pay-as-you-go model. However, its function-based architecture creates significant security risks, including excessive privilege allocation and poor permission management. In this paper, we present ALPS, an automated framework for enforcing least privilege in serverless environments. Our system employs serverless-tailored static analysis to extract precise permission requirements from function code and a fine-tuned Large Language Model (LLM) to generate language- and vendor-specific security policies. It also performs real-time monitoring to block unauthorized access and adapt to policy or code changes, supporting heterogeneous cloud providers and programming languages. In an evaluation of 8,322 real-world functions across AWS, Google Cloud, and Azure, ALPS achieved 94.8\% coverage for least-privilege extraction, improved security logic generation quality by 220\% (BLEU), 124\% (ChrF++) and 100\% (ROUGE-2), and added minimum performance overhead. These results demonstrate that ALPS provides an effective, practical, and vendor-agnostic solution for securing serverless workloads.