Running lambda container as non-root

[plaisted]

This may not be important inside of lambda (not familiar with actual execution environment) but we have security software that flags containers that are stored in ECR if they are running as root user.

Is there any guidance on running the dotnet containers as non-root? I threw a USER 1001 before my CMD and everything seemed to behave as normal but not sure if this will break parts of the lambda container.

[john-holden-1]

The documentation states that "Lambda follows security best practices by defining a default Linux user with least-privileged permissions" (Source). You can confirm this by checking the user executing the process at runtime in your own lambda. For example in my NodeJS lambda, I have:

const os = require('os');
const util = require('util');

exports.handler = async () => {
  console.log('Executing user:\n', util.inspect(os.userInfo()));
}

Which logs the following line in CloudWatch:

Executing user: { uid: 993, gid: 990, username: 'sbx_user1051', homedir: '/home/sbx_user1051', shell: '/sbin/nologin' }

Which is obviously not root. Note that I get this user even if I specify a USER 1001 in my dockerfile, so it seems that Lambda is overriding the user as a parameter to docker run

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.