4.2. Compute Workload Security

Your compute resources — EC2 instances, containers, Lambda functions, and AI/ML workloads — are where your code runs and where attackers gain execution. No matter how strong your edge and network defenses, if the compute layer is vulnerable, an attacker who finds a single unpatched CVE or misconfigured role gains a foothold in your environment. Think of compute security like building inspection: the building's walls (network) and doors (edge) are important, but if the structure itself has cracks (vulnerabilities), the whole thing can collapse from inside. What fails when compute security is neglected? An EC2 instance running an outdated AMI with a known RCE vulnerability becomes an entry point; a container image with embedded credentials becomes a credential leak; a Lambda function with an overly permissive role becomes a privilege escalation vector.

This section covers the complete compute security lifecycle — from building hardened images through scanning, patching, access control, pipeline security, and the new GenAI security requirements.

Scenario: A developer deploys a container with a base image that hasn't been updated in 6 months. Inspector identifies 47 known vulnerabilities, including 3 critical CVEs. The container is already running in production.

Reflection Question: How does shifting security left — catching vulnerabilities in images before deployment — prevent the costly scenario of discovering critical CVEs in production?