Serverless Defender

Serverless Defender protects serverless functions at runtime. It monitors your functions to ensure they execute as designed.
Per-function policies let you control:
  • Process activity. Enables verification of launched subprocesses against policy.
  • Network connections. Enables verification of inbound and outbound connections, and whitelisting of outbound connections to explicitly allowed domains.
  • File system activity. Controls which parts of the file system functions can access.
Currently, Prisma Cloud supports AWS Lambda functions. The following runtimes are supported:
  • C# (.NET Core 2.1)
  • Java 8
  • Node.js 8.x
  • Python 2.7, 3.6, and 3.7

Securing serverless functions

To secure an AWS Lambda function, embed the Prisma Cloud Serverless Defender into it. The steps are:
  1. Download a ZIP file that contains your function source code and dependencies.
  2. Embed the Serverless Defender into function.
  3. Upload an updated ZIP file to AWS.
  4. Define your policy.

Download your function as a ZIP file

Update your function’s source code so that Serverless Defender runs when your function is invoked. Download your function’s source code from AWS as a ZIP file.
  1. From Lambda’s code editor, click
    Actions > Export function
    .
  2. Click
    Download deployment package
    .
    Your function is downloaded to your host as a ZIP file.
  3. Create a working directory, and unpack the ZIP file there.
    In the next step, you’ll download the Serverless Defender files to this working directory.

Embed Serverless Defender into C# functions

In your function code, import the Serverless Defender library and create a new protected handler that wraps the original handler. The protected handler will be called by AWS when your function is invoked. Update the project configuration file to add Prisma Cloud dependencies and package references.
Prisma Cloud supports .NET Core 2.1.
  1. Open Compute Console, and go to
    Manage > Defenders > Deploy > Single Defender
    .
  2. Choose the DNS name or IP address Serverless Defender uses to connect to Console.
  3. In
    Choose Defender type
    , select
    Serverless
    .
  4. In
    Runtime
    , select
    C#
    .
  5. Download the Serverless Defender package to your workstation.
  6. Unzip the Serverless Defender bundle into your working directory.
  7. Embed the serverless Defender into the function by importing the Prisma Cloud library and wrapping the function’s handler.
    Function input and output can be a struct or a stream. Functions can be synchronous or asynchronous. The context parameter is optional in .NET, so it can be omitted.
    using Twistlock; public class ... { // Original handler public ApplicationLoadBalancerResponse Handler(ApplicationLoadBalancerRequest request, ILambdaContext context) { ... } // Application load balancer example // Twistlock protected handler public ApplicationLoadBalancerResponse ProtectedHandler(ApplicationLoadBalancerRequest request, ILambdaContext context) { return Twistlock.Serverless.Handler<ApplicationLoadBalancerRequest, ApplicationLoadBalancerResponse>(Handler, request, context); } ... }
  8. Add the Twistlock package as a dependency in your nuget.config file.
    If a nuget.config file doesn’t exist, create one.
    <configuration> <packageSources> <add key="local-packages" value="./twistlock"/> </packageSources> </configuration>
  9. Reference the Twistlock package in your csproj file.
    <Project> <ItemGroup> <PackageReference Include="Twistlock" Version="19.11.462"/> <TwistlockFiles Include="twistlock/*" Exclude="twistlock/twistlock.19.11.462.nupkg"/> </ItemGroup> <Target Name="CopyCustomContentOnPublish" AfterTargets="Publish"> <Copy SourceFiles="@(TwistlockFiles)" DestinationFolder="$(PublishDir)/twistlock"/> </Target> . . . </Project>
  10. Generate the value for the TW_POLICY environment variable by specifying your function’s name.
    Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.
    Copy the value generated for TW_POLICY, and set it aside.

Embed Serverless Defender into Java functions

To embed Serverless Defender, import the Twistlock package and update your code to start Serverless Defender as soon as the function is invoked. Prisma Cloud supports both Maven and Gradle projects. You’ll also need to update your project metadata to include Serverless Defender dependencies.
Prisma Cloud supports both predefined interfaces in the AWS Lambda Java core library: RequestStreamHandler (where input must be serialized JSON) and RequestHandler.
AWS lets you specify handlers as functions or classes. In both cases, Twistlock.Handler(), the entry point to Serverless Defender, assumes the entry point to your code is named handleRequest. After embedding Serverless Defender, update the name of the handler registered with AWS to be the wrapper method that calls Twistlock.Handler() (for example, protectedHandler).
Prisma Cloud supports both service struct and stream input (serialized struct). Even though the Context parameter is optional for unprotected functions, it’s manadatory when embedding Serverless Defender.
Prisma Cloud supports Java 8.
  1. Open Compute Console, and go to
    Manage > Defenders > Deploy > Single Defender
    .
  2. Choose the DNS name or IP address Serverless Defender uses to connect to Console.
  3. In
    Choose Defender type
    , select
    Serverless
    .
  4. In
    Runtime
    , select
    Java
    .
  5. In
    Package
    , select
    Maven
    or
    Gradle
    .
    The steps for embedding Serverless Defender differ depending on the build tool.
  6. Download the Serverless Defender package to your workstation.
  7. Unzip the Serverless Defender bundle into your working directory.
  8. Embed Serverless Defender into your function by importing the Prisma Cloud package and wrapping the function’s handler.
    import com.twistlock.serverless.Twistlock; public class ... implements RequestHandler<APIGatewayProxyRequestEvent, APIGatewayProxyResponseEvent> { // Original handler @Override public APIGatewayProxyResponseEvent handleRequest(APIGatewayProxyRequestEvent request, Context context) { { ... } // RequestHandler example // Twistlock protected handler public APIGatewayProxyResponseEvent protectedHandler(APIGatewayProxyRequestEvent request, Context context) { return Twistlock.Handler(this, request, context); } ... } ...
  9. Update your project configuration file.
    1. Maven
      Update your pom.xml file. Don’t create new sections for the Prisma Cloud configurations. Just update existing sections. For example, don’t create a new <plugins> section if one exists already. Just append a <plugin> section to it.
      Add the assembly plugin to include the Twistlock package in the final function JAR. Usually the shade plugin is used in AWS to include packages to standalone JARs, but it doesn’t let you include local system packages.
      <project> <build> <!-- Add assembly plugin to create a standalone jar that contains Twistlock library --> <plugins> <plugin> <artifactId>maven-assembly-plugin</artifactId> <configuration> <appendAssemblyId>false</appendAssemblyId> <descriptors> <descriptor>assembly.xml</descriptor> </descriptors> </configuration> <executions> <execution> <id>make-assembly</id> <phase>package</phase> <goals> <goal>attached</goal> </goals> </execution> </executions> </plugin> ... </plugins>
      <!-- Add Twistlock resources --> <resources> <resource> <directory>${project.basedir}</directory> <includes> <include>twistlock/*</include> </includes> <excludes> <exclude>twistlock/*.jar</exclude> </excludes> </resource> ... </resources> ... </build>
      <!-- Add Twistlock package reference --> <dependencies> <dependency> <groupId>com.twistlock.serverless</groupId> <artifactId>twistlock</artifactId> <version>19.11.462</version> <scope>system</scope> <systemPath>${project.basedir}/twistlock/twistlock-19.11.462.jar</systemPath> </dependency> ... </dependencies> ... </project>
    2. Create an assembly.xml file, which packs all dependencies in a standalone JAR.
      <assembly> <id>twistlock-protected</id> <formats> <format>jar</format> </formats> <includeBaseDirectory>false</includeBaseDirectory> <dependencySets> <!-- Unpack runtime dependencies into runtime jar --> <dependencySet> <unpack>true</unpack> <scope>runtime</scope> </dependencySet> <!-- Unpack local system dependencies into runtime jar --> <dependencySet> <unpack>true</unpack> <scope>system</scope> </dependencySet> </dependencySets> </assembly>
  10. Gradle
    Update your build.gradle file.
    1. Add Twistlock package reference in the project configuration file i.e build.gradle
      dependencies { compile ( files('twistlock/twistlock-19.11.462.jar') ) } task buildZip(type: Zip) { from compileJava from processResources into('lib') { from configurations.runtimeClasspath } // Include Twistlock dependencies into ('twistlock') { from 'twistlock' exclude "*.jar" } } build.dependsOn buildZip
  11. In AWS, set the name of the Lambda handler for your function to protectedHandler.
  12. Generate the value for the TW_POLICY environment variable by specifying your function’s name.
    Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.
    Copy the value generated for TW_POLICY, and set it aside.

Embed Serverless Defender into Node.js functions

Import the Serverless Defender module, and configure your function to start it. Prisma Cloud supports Node.js 8.x.
  1. Open Compute Console, and go to
    Manage > Defenders > Deploy > Single Defender
    .
  2. Choose the DNS name or IP address Serverless Defender uses to connect to Console.
  3. In
    Choose Defender type
    , select
    Serverless
    .
  4. In
    Runtime
    , select
    Node.js
    .
  5. Download the Serverless Defender package to your workstation.
  6. Unzip the Serverless Defender bundle into your working directory.
  7. Embed the serverless Defender into the function by importing the Prisma Cloud library and wrapping the function’s handler.
    1. For asynchronous handlers:
      // Async handler var twistlock = require('./twistlock'); exports.handler = async (event, context) => { . . . }; exports.handler = twistlock.asyncHandler(exports.handler);
    2. For synchronous handlers:
      // Non-async handler var twistlock = require('./twistlock'); exports.handler = (event, context, callback) => { . . . }; exports.handler = twistlock.handler(exports.handler);
  8. Generate the value for the TW_POLICY environment variable by specifying your function’s name.
    Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.
    Copy the value generated for TW_POLICY, and set it aside.

Embed Serverless Defender into Python functions

Import the Serverless Defender module, and configure your function to invoke it. Prisma Cloud supports Python 2.7, 3.6, and 3.7.
  1. Open Compute Console, and go to
    Manage > Defenders > Deploy > Single Defender
    .
  2. Choose the DNS name or IP address Serverless Defender uses to connect to Console.
  3. In
    Choose Defender type
    , select
    Serverless
    .
  4. In
    Runtime
    , select
    Python
    .
  5. Download the Serverless Defender package to your workstation.
  6. Unzip the Serverless Defender bundle into your working directory.
  7. Embed the serverless Defender into the function by importing the Prisma Cloud library and wrapping the function’s handler.
    import twistlock.serverless @twistlock.serverless.handler def handler(event, context): . . .
  8. Generate the value for the TW_POLICY environment variable by specifying your function’s name.
    Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.
    Copy the value generated for TW_POLICY, and set it aside.

Upload the protected function to AWS

After embedding Serverless Defender into your function, upload it to AWS.
  1. Upload the new ZIP file to AWS.
    1. In
      Designer
      , select your function so that you can view the function code.
    2. Under
      Code entry type
      , select
      Upload a .ZIP file
      .
    3. Specify a runtime and the handler.
      Validate that
      Runtime
      is a supported runtime, and that
      Handler
      points to the function’s entry point.
    4. Click
      Upload
      .
    5. Click
      Save
      .
  2. Set the TW_POLICY environment variable.
    1. In Designer, open the environment variables panel.
    2. For Key, enter TW_POLICY.
    3. For Value, paste the rule you copied from Compute Console.
    4. Click Save.

Defining your policy

Prisma Cloud ships with a default runtime policy for all Serverless functions that blocks all processes from running except the main process. This default policy protects against command injection attacks.
You can customize the policy with additional rules. By default, new rules apply to all functions (
*
), but you can target them to specific functions by function name.
When functions are invoked, they connect to Compute Console and retrieve the latest policy. To ensure functions start executing at time=0 with your custom policy, however, predefine the policy. Predefined policy is embedded into your function along with Serverless Defender by way of the TW_POLICY environment variable.
  1. Log into Prisma Cloud Console.
  2. Go to
    Defend > Runtime > Serverless Policy
    .
  3. Click
    Add rule
    .
  4. In the
    General
    tab, enter a rule name.
  5. (Optional) Target the rule to specific functions.
    In
    Functions
    , enter a function name. Use pattern matching to refine how the rule is applied.
  6. Set the rule parameters in the
    Processes
    ,
    Networking
    , and
    File System
    tabs.
  7. Click
    Save
    .

Recommended For You