1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Install
    6. Install Defender
    7. Serverless Defender
    End-of-Life (EoL)

    Serverless Defender

    Serverless Defender protects serverless functions at runtime. It monitors your functions to ensure they execute as designed.
    Per-function policies let you control:
    • Process activity. Enables verification of launched subprocesses against policy.
    • Network connections. Enables verification of inbound and outbound connections, and permits outbound connections to explicitly allowed domains.
    • File system activity. Controls which parts of the file system functions can access.
    Currently, Prisma Cloud supports AWS Lambda functions. The following runtimes are supported:
    • C# (.NET Core 2.1)
    • Java 8
    • Node.js 10.x
    • Python 2.7, 3.6, and 3.7
    Currently, only users with the Administrator role can see the list of deployed Serverless Defenders in
    Manage > Defenders > Manage
    .

    Securing serverless functions

    To secure an AWS Lambda function, embed the Prisma Cloud Serverless Defender into it. The steps are:
    1. (Optional) If you are not using a deployment framework like SAM or Serverless Framework, download a ZIP file that contains your function source code and dependencies.
    2. Embed the Serverless Defender into the function.
    3. Deploy the new function or upload the updated ZIP file to AWS.
    4. Define a serverless protection runtime policy.
    5. Define a serverless WAAS policy.

    (Optional) Download your function as a ZIP file

    Download your function’s source code from AWS as a ZIP file.
    1. From Lambda’s code editor, click
      Actions > Export function
      .
    2. Click
      Download deployment package
      .
      Your function is downloaded to your host as a ZIP file.
    3. Create a working directory, and unpack the ZIP file there.
      In the next step, you’ll download the Serverless Defender files to this working directory.

    Embed Serverless Defender into C# functions

    In your function code, import the Serverless Defender library and create a new protected handler that wraps the original handler. The protected handler will be called by AWS when your function is invoked. Update the project configuration file to add Prisma Cloud dependencies and package references.
    Prisma Cloud supports .NET Core 2.1.
    1. Open Compute Console, and go to
      Manage > Defenders > Deploy > Single Defender
      .
    2. Choose the DNS name or IP address Serverless Defender uses to connect to Console.
    3. In
      Choose Defender type
      , select
      Serverless
      .
    4. In
      Runtime
      , select
      C#
      .
    5. Download the Serverless Defender package to your workstation.
    6. Unzip the Serverless Defender bundle into your working directory.
    7. Embed the serverless Defender into the function by importing the Prisma Cloud library and wrapping the function’s handler.
      Function input and output can be a struct or a stream. Functions can be synchronous or asynchronous. The context parameter is optional in .NET, so it can be omitted.
        using Twistlock;

  public class ... {
      // Original handler
      public ApplicationLoadBalancerResponse Handler(ApplicationLoadBalancerRequest request, ILambdaContext context)
      {
        ...
      }

      // Application load balancer example
      // Twistlock protected handler
      public ApplicationLoadBalancerResponse ProtectedHandler(ApplicationLoadBalancerRequest request, ILambdaContext context)
      {
          return Twistlock.Serverless.Handler<ApplicationLoadBalancerRequest, ApplicationLoadBalancerResponse>(Handler, request, context);
      }
      ...
  }
    8. Add the Twistlock package as a dependency in your nuget.config file.
      If a nuget.config file doesn’t exist, create one.
      <configuration>
  <packageSources>
    <add key="local-packages" value="./twistlock"/>
  </packageSources>
</configuration>
    9. Reference the Twistlock package in your csproj file.
      <Project>
  <ItemGroup>
    <PackageReference Include="Twistlock" Version="19.11.462"/>
    <TwistlockFiles Include="twistlock/*" Exclude="twistlock/twistlock.19.11.462.nupkg"/>
  </ItemGroup>
  <Target Name="CopyCustomContentOnPublish" AfterTargets="Publish">
    <Copy SourceFiles="@(TwistlockFiles)" DestinationFolder="$(PublishDir)/twistlock"/>
  </Target>
  .
  .
  .
</Project>
    10. Generate the value for the TW_POLICY environment variable by specifying your function’s name.
      Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.
      Copy the value generated for TW_POLICY, and set it aside.

    Embed Serverless Defender into Java functions

    To embed Serverless Defender, import the Twistlock package and update your code to start Serverless Defender as soon as the function is invoked. Prisma Cloud supports both Maven and Gradle projects. You’ll also need to update your project metadata to include Serverless Defender dependencies.
    Prisma Cloud supports both predefined interfaces in the AWS Lambda Java core library: RequestStreamHandler (where input must be serialized JSON) and RequestHandler.
    AWS lets you specify handlers as functions or classes. In both cases, Twistlock.Handler(), the entry point to Serverless Defender, assumes the entry point to your code is named handleRequest. After embedding Serverless Defender, update the name of the handler registered with AWS to be the wrapper method that calls Twistlock.Handler() (for example, protectedHandler).
    Prisma Cloud supports both service struct and stream input (serialized struct). Even though the Context parameter is optional for unprotected functions, it’s manadatory when embedding Serverless Defender.
    Prisma Cloud supports Java 8.
    1. Open Compute Console, and go to
      Manage > Defenders > Deploy > Single Defender
      .
    2. Choose the DNS name or IP address Serverless Defender uses to connect to Console.
    3. In
      Choose Defender type
      , select
      Serverless
      .
    4. In
      Runtime
      , select
      Java
      .
    5. In
      Package
      , select
      Maven
       or
      Gradle
      .
      The steps for embedding Serverless Defender differ depending on the build tool.
    6. Download the Serverless Defender package to your workstation.
    7. Unzip the Serverless Defender bundle into your working directory.
    8. Embed Serverless Defender into your function by importing the Prisma Cloud package and wrapping the function’s handler.
      import com.twistlock.serverless.Twistlock;

public class ... implements RequestHandler<APIGatewayProxyRequestEvent, APIGatewayProxyResponseEvent> {

  // Original handler
  @Override
  public APIGatewayProxyResponseEvent handleRequest(APIGatewayProxyRequestEvent request, Context context) {
  {
    ...
  }

  // RequestHandler example
  // Twistlock protected handler
  public APIGatewayProxyResponseEvent protectedHandler(APIGatewayProxyRequestEvent request, Context context) {
    return Twistlock.Handler(this, request, context);
  }
  ...
}
...
    9. Update your project configuration file.
      1. Maven
        Update your pom.xml file. Don’t create new sections for the Prisma Cloud configurations. Just update existing sections. For example, don’t create a new <plugins> section if one exists already. Just append a <plugin> section to it.
        Add the assembly plugin to include the Twistlock package in the final function JAR. Usually the shade plugin is used in AWS to include packages to standalone JARs, but it doesn’t let you include local system packages.
        <project>
  <build>
    <!-- Add assembly plugin to create a standalone jar that contains Twistlock library -->
    <plugins>
      <plugin>
        <artifactId>maven-assembly-plugin</artifactId>
        <configuration>
          <appendAssemblyId>false</appendAssemblyId>
          <descriptors>
            <descriptor>assembly.xml</descriptor>
          </descriptors>
        </configuration>
        <executions>
          <execution>
           <id>make-assembly</id>
           <phase>package</phase>
           <goals>
            <goal>attached</goal>
           </goals>
          </execution>
        </executions>
      </plugin>
      ...
    </plugins>
          <!-- Add Twistlock resources -->
  <resources>
    <resource>
      <directory>${project.basedir}</directory>
      <includes>
        <include>twistlock/*</include>
        </includes>
      <excludes>
        <exclude>twistlock/*.jar</exclude>
      </excludes>
    </resource>
    ...
  </resources>
  ...
</build>
          <!-- Add Twistlock package reference -->
  <dependencies>
    <dependency>
      <groupId>com.twistlock.serverless</groupId>
      <artifactId>twistlock</artifactId>
      <version>19.11.462</version>
      <scope>system</scope>
      <systemPath>${project.basedir}/twistlock/twistlock-19.11.462.jar</systemPath>
    </dependency>
    ...
  </dependencies>
  ...
</project>
      2. Create an assembly.xml file, which packs all dependencies in a standalone JAR.
        <assembly>
  <id>twistlock-protected</id>
  <formats>
    <format>jar</format>
  </formats>
  <includeBaseDirectory>false</includeBaseDirectory>
  <dependencySets>
    <!-- Unpack runtime dependencies into runtime jar -->
    <dependencySet>
      <unpack>true</unpack>
      <scope>runtime</scope>
    </dependencySet>
    <!-- Unpack local system dependencies into runtime jar -->
    <dependencySet>
      <unpack>true</unpack>
      <scope>system</scope>
    </dependencySet>
  </dependencySets>
</assembly>
    10. Gradle
      Update your build.gradle file.
      1. Add Twistlock package reference in the project configuration file i.e build.gradle
        dependencies {
    compile (
        files('twistlock/twistlock-19.11.462.jar')
    )
}

task buildZip(type: Zip) {
    from compileJava
    from processResources
    into('lib') {
        from configurations.runtimeClasspath
    }
    // Include Twistlock dependencies
    into ('twistlock') {
        from 'twistlock'
        exclude "*.jar"
    }
}

build.dependsOn buildZip
    11. In AWS, set the name of the Lambda handler for your function to protectedHandler.
    12. Generate the value for the TW_POLICY environment variable by specifying your function’s name.
      Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.
      Copy the value generated for TW_POLICY, and set it aside.

    Embed Serverless Defender into Node.js functions

    Import the Serverless Defender module, and configure your function to start it. Prisma Cloud supports Node.js 10.x.
    1. Open Compute Console, and go to
      Manage > Defenders > Deploy > Single Defender
      .
    2. Choose the DNS name or IP address Serverless Defender uses to connect to Console.
    3. In
      Choose Defender type
      , select
      Serverless
      .
    4. In
      Runtime
      , select
      Node.js
      .
    5. Download the Serverless Defender package to your workstation.
    6. Unzip the Serverless Defender bundle into your working directory.
    7. Embed the serverless Defender into the function by importing the Prisma Cloud library and wrapping the function’s handler.
      1. For asynchronous handlers:
        // Async handler
var twistlock = require('./twistlock');
exports.handler = async (event, context) => {
.
.
.
};
exports.handler = twistlock.asyncHandler(exports.handler);
      2. For synchronous handlers:
        // Non-async handler
var twistlock = require('./twistlock');
exports.handler = (event, context, callback) => {
.
.
.
};
exports.handler = twistlock.handler(exports.handler);
    8. Generate the value for the TW_POLICY environment variable by specifying your function’s name.
      Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.
      Copy the value generated for TW_POLICY, and set it aside.

    Embed Serverless Defender into Python functions

    Import the Serverless Defender module, and configure your function to invoke it. Prisma Cloud supports Python 2.7, 3.6, and 3.7.
    1. Open Compute Console, and go to
      Manage > Defenders > Deploy > Single Defender
      .
    2. Choose the DNS name or IP address Serverless Defender uses to connect to Console.
    3. In
      Choose Defender type
      , select
      Serverless
      .
    4. In
      Runtime
      , select
      Python
      .
    5. Download the Serverless Defender package to your workstation.
    6. Unzip the Serverless Defender bundle into your working directory.
    7. Embed the serverless Defender into the function by importing the Prisma Cloud library and wrapping the function’s handler.
      import twistlock.serverless
@twistlock.serverless.handler
def handler(event, context):
.
.
.
    8. Generate the value for the TW_POLICY environment variable by specifying your function’s name.
      Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.
      Copy the value generated for TW_POLICY, and set it aside.
      • Prisma Cloud Serverless Defender includes native node.js libraries. If you are using webpack, please refer to tools such as native-addon-loader to make sure these libraries are included in the function ZIP file.

    Upload the protected function to AWS

    After embedding Serverless Defender into your function, upload it to AWS. If you are using a deployment framework such as SAM or Serverless Framework just deploy the function with your standard deployment procedure. If you are using AWS directly, follow the steps below:
    1. Upload the new ZIP file to AWS.
      1. In
        Designer
        , select your function so that you can view the function code.
      2. Under
        Code entry type
        , select
        Upload a .ZIP file
        .
      3. Specify a runtime and the handler.
        Validate that
        Runtime
         is a supported runtime, and that
        Handler
         points to the function’s entry point.
      4. Click
        Upload
        .
      5. Click
        Save
        .
    2. Set the TW_POLICY environment variable.
      1. In Designer, open the environment variables panel.
      2. For Key, enter TW_POLICY.
      3. For Value, paste the rule you copied from Compute Console.
      4. Click Save.

    Defining your runtime protection policy

    Prisma Cloud ships with a default runtime policy for all serverless functions that blocks all processes from running except the main process. This default policy protects against command injection attacks.
    You can customize the policy with additional rules. By default, new rules apply to all functions (*), but you can target them to specific functions by function name.
    When functions are invoked, they connect to Compute Console and retrieve the latest policy. To ensure that functions start executing at time=0 with your custom policy, you must predefine the policy. Predefined policy is embedded into your function along with the Serverless Defender by way of the TW_POLICY environment variable.
    1. Log into Prisma Cloud Console.
    2. Go to
      Defend > Runtime > Serverless Policy
      .
    3. Click
      Add rule
      .
    4. In the
      General
       tab, enter a rule name.
    5. (Optional) Target the rule to specific functions.
      In
      Functions
      , enter a function name. Use pattern matching to refine how the rule is applied.
    6. Set the rule parameters in the
      Processes
      ,
      Networking
      , and
      File System
       tabs.
    7. Click
      Save
      .

    Defining your serverless WAAS policy

    Prisma Cloud lets you protect your serverless functions against application layer attacks by utlizing the serverless Web Application and API Security (WAAS).
    By default, the serverless WAAS is disabled. To enable it, add a new serverless WAAS rule.
    1. Log into Prisma Cloud Console.
    2. Go to
      Defend > Firewalls > Cloud Native Application Firewall > Serverless
      .
    3. Click
      Add rule
      .
    4. In the
      General
       tab, enter a rule name.
    5. (Optional) Target the rule to specific functions.
      In
      Functions
      , enter a function name. Use pattern matching to refine how the rule is applied.
    6. Set the protections you want to apply (
      SQLi
      ,
      CMDi
      ,
      Code injection
      ,
      XSS
      ,
      LFI
      ).
    7. Click
      Save
      .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo