Is it possible to securely run user defined python code in AWS?

Question

I would like to create an app that accepts users python scripts and executes them as part of its functionality. What I am wondering is if its possible to block I/O, network and other attack vectors so I can have some confidence my AWS resources/account won't be compromised?

Or if I isolate the process into a linux user account with few permissions would that be good enough?

Or is my best bet trying to adopt it to something like Brython or Jupyter to have it run in the browser and rely on those libraries for security?

I know there are companies like Codility that SEEM to do this successfully. However I know of others like Quantopian, that have been hacked. I apologize I don't have a lot of experience with this type of issue.

Answer 1

This is not an AWS question, this is a python sandboxing question.

Real OS-level sandboxes like seccomp can be used to prevent a process running the cpython interpreter running attacker-supplied code from escaping and doing harm. Securely communicating with it to feed input into it and get the result out of it is complicated.

Virtualization can be used, but there have been escapes for Xen, KVM, VMWare, etc.

QubesOS does this, kinda, for desktop use.

Google gvisor is used by GCP to guard customers from other customers.

I would trust a system that really launches a new AWS EC2 instance for each customer to run their script.

Creating a new AWS Lambda to run once and then delete the Lambda function would also work (provided the 5 minute cap on Lambda running time is ok).

Creating a container and running it on AWS EKS and then killing it should also work.

Regardless of the way you run it, you must have a dead-simple impossible-to-do-wrong secure way to get results out, i.e. you must make the format of the result extremely simple, no de-serialization, so it will not be possible to attack your main server through this channel.