AWS Lambda MicroVMs Solve the AI Code Execution Security Problem

The explosion of AI agents writing and executing arbitrary code has exposed a critical infrastructure gap. When an LLM generates a Python script to analyze a dataset, that script must run in an environment that is secure, fast to boot, and capable of retaining state across multiple turns of a conversation.

Historically, developers faced a bad set of trade-offs. Traditional virtual machines provide strong hardware-level isolation but take minutes to boot. Containers spin up in seconds, but their shared-kernel architecture makes them risky sandboxes for untrusted code. Standard serverless functions boot quickly but are stateless, limited to short execution windows, and not designed for interactive, multi-turn sessions.

AWS addressed this gap on June 22, 2026, by launching AWS Lambda MicroVMs. This new serverless compute primitive exposes AWS's internal virtualization technology directly to developers, allowing them to spin up stateful, highly isolated sandboxes on demand. By providing virtual machine level isolation with near-instant launch and resume speeds, AWS is shifting the serverless model from stateless event-driven functions to on-demand, secure runtime infrastructure.

The Architecture Shift: From Stateless Functions to Stateful Sandboxes

To understand where Lambda MicroVMs fit, it helps to contrast them with traditional Lambda functions. While traditional Lambda uses Firecracker internally to isolate function executions, the lifecycle of those environments is entirely managed by AWS. Traditional functions are stateless, capped at a 15-minute execution limit, and designed to process discrete events.

Lambda MicroVMs turn this model on its head. They give developers direct control over the virtual machine lifecycle, extending the maximum execution time to 8 hours and allowing memory and disk state to be preserved during suspension.

Under the hood, this capability relies on Firecracker, an open-source virtual machine monitor written in Rust that uses Linux's Kernel-based Virtual Machine (KVM) to create lightweight virtual machines. Firecracker boots microVMs in as little as 125 milliseconds with less than 5 MiB of memory overhead. By snapshotting the active memory and disk state of these microVMs, AWS allows developers to pause environments when they are idle and resume them instantly when a new request arrives, without losing context.

The Developer Workflow: Building and Running a MicroVM

Adopting Lambda MicroVMs requires a shift in how you package and deploy code. Instead of uploading a ZIP file containing a single handler function, you package a full application inside a container image, which AWS then uses to generate a bootable MicroVM snapshot.

First, you define your environment using a Dockerfile. The base image must use the AWS-provided minimal runtime:

FROM public.ecr.aws/lambda/microvms:al2023-minimal
RUN dnf install -y python3 python3-pip && dnf clean all
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY app.py .
EXPOSE 8080
CMD ["gunicorn", "--bind", "0.0.0.0:8080", "app:app"]

This Dockerfile sets up a standard Flask application running on Gunicorn. Once packaged into a ZIP file and uploaded to Amazon S3, you create the MicroVM image using the AWS CLI (which requires version 2.35.10 or higher to support the lambda-microvms subcommand):

Advertisement

Serverless Inference by DigitalOcean 55+ models, every modality. One API key, one bill.

aws lambda-microvms create-microvm-image \
  --name flask-microvm-demo \
  --code-artifact uri=s3://YOUR-BUCKET-NAME/app.zip \
  --base-image-arn arn:aws:lambda:us-east-1:aws:microvm-image:al2023-1 \
  --build-role-arn arn:aws:iam::123456789012:role/MicroVMBuildRole \
  --region us-east-1

During this build process, AWS retrieves the artifact, runs the Dockerfile, initializes the application, and takes a Firecracker snapshot of the running disk and memory state. This process takes approximately 3 minutes to complete.

Once the image state transitions to CREATED, you can launch an isolated MicroVM instance:

aws lambda-microvms run-microvm \
  --image-identifier arn:aws:lambda:us-east-1:123456789012:microvm-image:flask-microvm-demo \
  --ingress-network-connectors "arn:aws:lambda:us-east-1:aws:network-connector:aws-network-connector:ALL_INGRESS" \
  --egress-network-connectors "arn:aws:lambda:us-east-1:aws:network-connector:aws-network-connector:INTERNET_EGRESS" \
  --idle-policy '{"maxIdleDurationSeconds":900,"suspendedDurationSeconds":300,"autoResumeEnabled":true}' \
  --region us-east-1

The --idle-policy parameter is key to managing costs. In this example, the MicroVM will automatically suspend after 15 minutes of inactivity. When suspended, its memory and disk state are saved. When a new request hits the dedicated HTTPS endpoint, the MicroVM resumes from the snapshot with its application state fully intact, making the pause transparent to the client.

To communicate with the running MicroVM, you generate a short-lived authentication token and attach it to your HTTPS requests using the X-aws-proxy-auth header. The endpoint supports modern protocols including HTTP/2, gRPC, and WebSockets, making it suitable for interactive terminals or streaming data applications.

Security and Operational Trade-offs

For teams building AI agents, interactive coding platforms, or multi-tenant data analytics tools, Lambda MicroVMs solve a major security headache. Firecracker's "jailer" model applies multiple layers of defense, including cgroups, namespace isolation, seccomp filters, and chroot containment. This guarantees that even if an AI agent generates malicious code that attempts a container breakout, the attack is confined to that specific MicroVM, protecting other tenants and the host system.

However, this security and flexibility comes with operational overhead. Unlike standard Lambda, where networking is fully managed, developers using MicroVMs must explicitly configure ingress and egress network connectors. You also need to manage the lifecycle of these environments, including monitoring idle states and handling the 8-hour maximum execution limit.

Pricing also follows a hybrid model. You pay for the baseline compute resources while the MicroVM is active, and you are billed for additional resource consumption only when your workload exceeds that baseline. If your application has highly sporadic traffic, the cost of keeping idle MicroVMs suspended (which can be held for up to 8 hours) must be carefully weighed against the cost of cold-starting standard containers.

A New Primitive for the Agentic Era

AWS Lambda MicroVMs represent a pragmatic evolution of serverless compute. By exposing Firecracker's raw virtualization capabilities as a managed service, AWS has delivered a production-ready solution for executing untrusted code.

This release is not a replacement for traditional event-driven Lambda functions. Instead, it is a specialized tool for developers building the next generation of AI assistants, collaborative coding environments, and secure SaaS platforms. By eliminating the need to build and maintain custom virtualization control planes, AWS has made secure, multi-tenant code execution accessible to any engineering team.