DETERMINISTIC PROPAGATION CONTROL IN EVENT-DRIVEN SERVERLESS SYSTEMS
DOI:
https://doi.org/10.28925/2663-4023.2026.33.1257Keywords:
serverless security, event-driven architectures, AWS Lambda, Amazon SQS, event amplification, blast radius, quarantine routingAbstract
Event-driven serverless pipelines can exhibit event amplification, where a small number of admitted inputs triggers a disproportionately large volume of downstream executions through fan-out, retries, or cyclic propagation. This phenomenon is security-relevant because it expands operational blast radius, increases availability risk, and enables cost-exhaustion effects in pay-per-use environments. This paper presents a reproducible AWS-based experimental study of propagation control in a queue-triggered serverless pipeline built on AWS Lambda and Amazon SQS. Two architectures are compared using an A/B protocol: a baseline design in which events are injected directly into the main queue, and a guarded design that inserts a deterministic ingress risk gate with quarantine routing prior to the main processing path. The evaluation operationalises propagation using an Amplification Factor complemented by queue deltas and invocation metrics. Results show functional equivalence under nominal traffic (Amplification Factor = 1.0 in both modes) and retry-driven inflation for poison messages consistent with dead-letter queue isolation. For the fan-out workload, a total-blocking threshold (τ = 0.0, Zone A) eliminated all downstream processing (Amplification Factor = 0.0), representing a theoretical upper bound that also blocks normal traffic. Zone B (0.05 < τ ≤ 0.25) was experimentally validated at τ = 0.25: the ingress gate alone reduced AF from 16.6 to 4.28 (74.2% reduction); adding the processor-side fan-out cap further reduced AF to 3.0 (82.0% total reduction). A bounded loop workload remains propagation-bounded (Amplification Factor = 5.0) while exhibiting workload-dependent terminal flagging semantics. Overall, the findings demonstrate that a minimal, deterministic ingress control point can substantially reduce blast radius for high-amplification event patterns without relying on learned models, provided that event producers operate within a trusted-producer perimeter.
Downloads
References
Marin, E., Perino, D., & Di Pietro, R. (2022). Serverless computing: A security perspective. Journal of Cloud Computing, 11, 69. https://doi.org/10.1186/s13677-022-00347-w
Escaleira, P., Cunha, V. A., Barraca, J. P., Gomes, D., & Aguiar, R. (2025). A systematic review on security mechanisms for serverless computing. Cluster Computing. https://doi.org/10.1007/s10586-025-05371-4
National Institute of Standards and Technology. (2024). The NIST Cybersecurity Framework (CSF) 2.0. https://doi.org/10.6028/NIST.CSWP.29
Kelly, D., Glavin, F. G., & Barrett, E. (2021). Denial of wallet – Defining a looming threat to serverless computing. Journal of Information Security and Applications, 60, 102843. https://doi.org/10.1016/j.jisa.2021.102843
Xiong, J., Wei, M., Lu, Z., & Liu, Y. (2021). Warmonger: Inflicting denial-of-service via serverless functions in the cloud. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (pp. 1046-1060). https://doi.org/10.1145/3460120.3485372
Shen, J., Zhang, H., Geng, Y., Li, J., Wang, J., & Xu, M. (2022). Gringotts: Fast and accurate internal denial-of-wallet detection for serverless computing. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. https://doi.org/10.1145/3548606.3560629
Kelly, D., Glavin, F. G., & Barrett, E. (2024). DoWNet – Classification of denial-of-wallet attacks on serverless application traffic. Journal of Cybersecurity, 10(1), tyae004. https://doi.org/10.1093/cybsec/tyae004
Dorsett, M., Mann, S., Chowdhury, J., & Mahmood, A. (2025). A comprehensive review of denial of wallet attacks in serverless architectures. arXiv. https://doi.org/10.48550/arXiv.2508.19284
Alkhalifa, A. K., Aljebreen, M., Alanazi, R., Ahmad, N., Alahmari, S., Alrusaini, O., Alqazzaz, A., & Alkhiri, H. (2025). Mitigating malicious denial of wallet attack using attribute reduction with deep learning approach for serverless computing on next-generation applications. Scientific Reports, 15, 18720. https://doi.org/10.1038/s41598-025-01178-w
Lavi, D., Brodt, O., Mimran, D., Elovici, Y., & Shabtai, A. (2025). Detection of compromised functions in a serverless cloud environment. Computers & Security, 150, 104261. https://doi.org/10.1016/j.cose.2024.104261
Ben-Shimol, L., Grolman, E., Elyashar, A., Maimon, I., Mimran, D., Brodt, O., Strassmann, M., Lehmann, H., Elovici, Y., & Shabtai, A. (2025). Observability and incident response in managed serverless environments using ontology-based log monitoring. IEEE Transactions on Cloud Computing. https://doi.org/10.1109/TCC.2025.3528320
Li, C., Huang, L., He, D., Wen, Y., Liu, G., & Duan, L. (2025). FaaSMT: Lightweight serverless framework for intrusion detection using Merkle tree and task inlining. arXiv. https://doi.org/10.48550/arXiv.2503.06532
Nguyen, C., Elmroth, E., & Bhuyan, M. (2025). Silent failures in stateless systems: Rethinking anomaly detection for serverless computing. In 2025 IEEE International Conference on Service-Oriented System Engineering (SOSE). https://doi.org/10.1109/SOSE67019.2025.00006
Polinsky, I., Datta, P., Bates, A., & Enck, W. (2024). GRASP: Hardening serverless applications through graph reachability analysis of security policies. In Proceedings of the ACM Web Conference 2024. https://doi.org/10.1145/3589334.3645436
Lazzari, L., & Farias, K. (2023). Uncovering the hidden potential of event-driven architecture: A research agenda. arXiv. https://doi.org/10.48550/arXiv.2308.05270
Saleh Sedghpour, M. R., Klein, C., & Tordsson, J. (2022). An empirical study of service mesh traffic management policies: Circuit breakers and retries. In Proceedings of the 2022 ACM/SPEC International Conference on Performance Engineering. https://doi.org/10.1145/3489525.3511686
Mohammad, M. (2025). Resilient microservices: A systematic review of recovery patterns, strategies, and evaluation frameworks. arXiv. https://doi.org/10.48550/arXiv.2512.16959
Amazon Web Services. (2026a). Using Lambda with Amazon SQS. AWS Lambda Developer Guide. https://docs.aws.amazon.com/lambda/latest/dg/with-sqs.html
Amazon Web Services. (2026b). Using dead-letter queues in Amazon SQS. Amazon SQS Developer Guide. https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-dead-letter-queues.html
Amazon Web Services. (2026c). Using CloudWatch metrics with Lambda. AWS Lambda Developer Guide. https://docs.aws.amazon.com/lambda/latest/dg/monitoring-metrics.html
Hamza, M., Akbar, M. A., & Capilla, R. (2023). Understanding cost dynamics of serverless computing. arXiv. https://doi.org/10.48550/arXiv.2311.13242
Lin, C., Ma, Y., & Shahrad, M. (2025). Getting to the bottom of serverless billing. arXiv. https://doi.org/10.48550/arXiv.2506.01283
Bodner, T., Radig, T., Justen, D., Ritter, D., & Rabl, T. (2025). An empirical evaluation of serverless cloud infrastructure for large-scale data processing. arXiv. https://doi.org/10.48550/arXiv.2501.07771
Soldani, J., Forti, S., Roveroni, L., & Brogi, A. (2025). Explaining microservices’ cascading failures from their logs. Software: Practice and Experience, 55(5), 809-828. https://doi.org/10.1002/spe.3400
Molnar, V. (2025). Event amplification risk in AWS serverless pipelines [GitHub repository]. GitHub. https://github.com/j9mbo/event-amplification-risk-aws
Published
How to Cite
Issue
Section
License
Copyright (c) 2026 Віталій Молнар, Дмитро Сабодашко
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
