There are many security standards, principles, certifications, and guidance—probably enough to fill a few books. Here is one that I found practical and useful, from the Open Web Application Security Project (OWASP) at https://www.owasp.org. The OWASP security by design principles (https://www.owasp.org/index.php/Security_by_Design_Principles) apply to any system, application, or service, helping to make them more secure by design, and that includes serverless computing. Even if there are no servers that need managing with serverless, you still need to ensure your architecture, integration, configuration, and code adhere to the following principles:

• Minimize attack surface area: Every added feature is a risk—ensure they are secure, for example, delete any Lambdas that are no longer being used.
• Establish secure defaults: These have defaults for every user, Identity and Access Management policy, and serverless stack component.
• Principle of least privilege: The account or service has the least amount of privilege required to perform its business processes, for example, if a Lambda only needs read access to a table, then it should have no more access than that.
• Principle of defense in depth: Have different validation layers and centralized audit controls.
• Fail securely: This ensures that if a request or transformation fails, it is still secure.
• Don't trust services: Especially third parties, external services, or libraries, for example, JavaScipt and Node.js libraries infected with malware.
• Separation of duties: Use a different role for a different task, for example, administrators should not be users or system users.

• Avoid security by obscurity: This is generally a bad idea and a weak security control. Instead of relying on the architecture or source code being secret, instead rely on other factors, such as good architecture, limiting requests, and audit controls.
• Keep security simple: Don't over-engineer; use simple architectures and design patterns.
• Fix security issues correctly: Fix issues promptly and add new tests.

Keep these principles in mind when building any serverless microservices.