Serverless Defender
Table of Contents
Serverless Defender
Serverless Defender protects serverless functions at runtime.
It monitors your functions to ensure they execute as designed.
Per-function policies let you control:
- Process activity. Enables verification of launched subprocesses against policy.
- Network connections. Enables verification of inbound and outbound connections, and permits outbound connections to explicitly allowed domains.
- File system activity. Controls which parts of the file system functions can access.
Prisma Cloud supports AWS Lambda functions (Linux) and Azure Functions (Windows only).
See system requirements for the runtimes and architectures that are supported for Serverless Defenders.
The following runtimes are supported for AWS Lambda:
- C# (.NET Core) 6.0
- Java 8, 11
- Node.js 14.x, 16.x, 18.x
- Python 3.6, 3.7, 3.8, 3.9
- Ruby 2.7
Serverless Defenders are not supported on ARM64 architecture.
The following runtimes are supported for Azure Functions (Windows and 64 bit only):
- v3 - C# (.NET Core) 3.1
- v4 - C# (.NET Core) 6.0
Only users with the Administrator role can see the list of deployed Serverless Defenders in
Manage > Defenders > Manage
.Securing serverless functions
To secure a serverless function, embed the Prisma Cloud Serverless Defender into it.
The steps are:
- (Optional) If you are not using a deployment framework like SAM or Serverless Framework, download a ZIP file that contains your function source code and dependencies.
- Embed the Serverless Defender into the function.
- Deploy the new function or upload the updated ZIP file to the cloud provider.
- Define a serverless protection runtime policy.
- Define a serverless WAAS policy.
AWS Lambda - (Optional) Download your function as a ZIP file
Download your function’s source code from AWS as a ZIP file.
- From Lambda’s code editor, clickActions > Export function.
- ClickDownload deployment package.Your function is downloaded to your host as a ZIP file.
- Create a working directory, and unpack the ZIP file there.In the next step, you’ll download the Serverless Defender files to this working directory.
AWS Lambda - Embed Serverless Defender into C# functions
In your function code, import the Serverless Defender library and create a new protected handler that wraps the original handler.
The protected handler will be called by AWS when your function is invoked.
Update the project configuration file to add Prisma Cloud dependencies and package references.
Prisma Cloud supports .NET Core 3.1, 6.0.
- Open Compute Console, and go toManage > Defenders > Deployed Defenders > Manual deploy > Single Defender.
- InChoose Defender type, selectServerless Defender - AWS.
- Choose the DNS name or IP address Serverless Defender uses to connect to Console.
- InRuntime, selectC#.
- Download the Serverless Defender package to your workstation.
- Unzip the Serverless Defender bundle into your working directory.
- Embed the serverless Defender into the function by importing the Prisma Cloud library and wrapping the function’s handler.Function input and output can be a struct or a stream. Functions can be synchronous or asynchronous. The context parameter is optional in .NET, so it can be omitted.using Twistlock; public class ... { // Original handler public ApplicationLoadBalancerResponse Handler(ApplicationLoadBalancerRequest request, ILambdaContext context) { ... } // Application load balancer example // Twistlock protected handler public ApplicationLoadBalancerResponse ProtectedHandler(ApplicationLoadBalancerRequest request, ILambdaContext context) { return Twistlock.Serverless.Handler<ApplicationLoadBalancerRequest, ApplicationLoadBalancerResponse>(Handler, request, context); } ... }Add the Twistlock package as a dependency in your nuget.config file.If a nuget.config file doesn’t exist, create one.<configuration> <packageSources> <add key="local-packages" value="./twistlock"/> </packageSources> </configuration>Reference the Twistlock package in your csproj file.<Project> <ItemGroup> <PackageReference Include="Twistlock" Version="19.11.462"/> <TwistlockFiles Include="twistlock/*" Exclude="twistlock/twistlock.19.11.462.nupkg"/> </ItemGroup> <Target Name="CopyCustomContentOnPublish" AfterTargets="Publish"> <Copy SourceFiles="@(TwistlockFiles)" DestinationFolder="$(PublishDir)/twistlock"/> </Target> . . . </Project>Generate the value for the TW_POLICY environment variable by specifying your function’s name and region.IfAnyis selected for region, only policies that contain*in the region label will be matched.Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.Copy the value generated for TW_POLICY, and set it aside.AWS Lambda - Embed Serverless Defender into Java functionsTo embed Serverless Defender, import the Twistlock package and update your code to start Serverless Defender as soon as the function is invoked. Prisma Cloud supports both Maven and Gradle projects. You’ll also need to update your project metadata to include Serverless Defender dependencies.Prisma Cloud supports both predefined interfaces in the AWS Lambda Java core library: RequestStreamHandler (where input must be serialized JSON) and RequestHandler.AWS lets you specify handlers as functions or classes. In both cases, Twistlock.Handler(), the entry point to Serverless Defender, assumes the entry point to your code is named handleRequest. After embedding Serverless Defender, update the name of the handler registered with AWS to be the wrapper method that calls Twistlock.Handler() (for example, protectedHandler).Prisma Cloud supports both service struct and stream input (serialized struct). Even though the Context parameter is optional for unprotected functions, it’s manadatory when embedding Serverless Defender.Prisma Cloud supports Java 8 and Java 11.
- Open Compute Console, and go toManage > Defenders > Deployed Defenders > Manual Deploy > Single Defender.
- Choose the DNS name or IP address Serverless Defender uses to connect to Console.
- InDefender type, selectServerless Defender - AWS.
- Select the name that Defender will use to connect to this Console.
- InRuntime, selectJava.
- InPackage, selectMavenorGradle.The steps for embedding Serverless Defender differ depending on the build tool.
- Download the Serverless Defender package to your workstation.
- Unzip the Serverless Defender bundle into your working directory.
- Enter the package details and artifact id in the defender-<version>.pom file:<project> <modelVersion>4.0.0</modelVersion> <groupId>com.twistlock.serverless</groupId> <artifactId>defender</artifactId> <version>22.11.386</version> <description>twistlock serverless defender pom</description> </project>
- Embed Serverless Defender into your function by importing the Prisma Cloud package and wrapping the function’s handler.import com.twistlock.serverless.Twistlock; public class ... implements RequestHandler<APIGatewayProxyRequestEvent, APIGatewayProxyResponseEvent> { // Original handler @Override public APIGatewayProxyResponseEvent handleRequest(APIGatewayProxyRequestEvent request, Context context) { { ... } // RequestHandler example // Twistlock protected handler public APIGatewayProxyResponseEvent protectedHandler(APIGatewayProxyRequestEvent request, Context context) { return Twistlock.Handler(this, request, context); } ... } } ...Update your project configuration file.
- MavenUpdate your *pom xml file. Don’t create new sections for the Prisma Cloud configurations. Just update existing sections. For example, don’t create a new <plugins> section if one exists already. Just append a <plugin> section to it.Add the assembly plugin to include the Twistlock package in the final function JAR. Usually the shade plugin is used in AWS to include packages to standalone JARs, but it doesn’t let you include local system packages.<project> <build> <!-- Add assembly plugin to create a standalone jar that contains Twistlock library --> <plugins> <plugin> <artifactId>maven-assembly-plugin</artifactId> <configuration> <appendAssemblyId>false</appendAssemblyId> <descriptors> <descriptor>assembly.xml</descriptor> </descriptors> </configuration> <executions> <execution> <id>make-assembly</id> <phase>package</phase> <goals> <goal>attached</goal> </goals> </execution> </executions> </plugin> ... </plugins><!-- Add Twistlock resources --> <resources> <resource> <directory>${project.basedir}</directory> <includes> <include>twistlock/*</include> </includes> <excludes> <exclude>twistlock/com/**</exclude> </excludes> </resource> ... </resources> ... </build><!-- Define the internal (local) repository in the `*pom` xml file: --> <project> <repositories> <repository> <id>twistlock-internal</id> <name>twistlock</name> <url>file://${project.basedir}/twistlock</url> </repository> ... </project><!-- Add Twistlock package reference --> <dependencies> <dependency> <groupId>com.twistlock.serverless</groupId> <artifactId>defender</artifactId> <version>22.11.386</version> </dependency> ... </dependencies> ... </project>Create an assembly.xml file, which packs all dependencies in a standalone JAR.<assembly> <id>twistlock-protected</id> <formats> <format>jar</format> </formats> <includeBaseDirectory>false</includeBaseDirectory> <dependencySets> <!-- Unpack runtime dependencies into runtime jar --> <dependencySet> <unpack>true</unpack> <scope>runtime</scope> </dependencySet> <!-- Unpack local system dependencies into runtime jar --> <dependencySet> <unpack>true</unpack> <scope>system</scope> </dependencySet> </dependencySets> </assembly>GradleGradle supports Maven repositories and can fetch artifacts directly from any kind of Maven repository.Update your build.gradle file.
- Add the Maven repository for this project.
- Set the *.jar file as an "implementation" dependency from the filesystem.
- Update the zip resources.repositories { maven { url "file://$projectDir/twistlock" } } dependencies { implementation 'com.twistlock.serverless:defender:22.11.386' } task buildZip(type: Zip) { from compileJava from processResources into('lib') { from configurations.runtimeClasspath } // Include Twistlock resources into ('twistlock') { from 'twistlock' exclude "com/**" } } build.dependsOn buildZip
- In AWS, set the name of the Lambda handler for your function to protectedHandler.
- Generate the value for the TW_POLICY environment variable by specifying your function’s name and region.IfAnyis selected for region, only policies that contain*in the region label will be matched.Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.Copy the value generated for TW_POLICY, and set it aside.
AWS Lambda - Embed Serverless Defender into Node.js functionsImport the Serverless Defender module, and configure your function to start it. Prisma Cloud supports Node.js 14.x.- Open Compute Console, and go toManage > Defenders > Deployed Defenders > Manual deploy > Single Defender.
- Choose the DNS name or IP address Serverless Defender uses to connect to Console.
- InChoose Defender type, selectServerless.
- InRuntime, selectNode.js.
- Download the Serverless Defender package to your workstation.
- Unzip the Serverless Defender bundle into your working directory.
- Embed the serverless Defender into the function by importing the Prisma Cloud library and wrapping the function’s handler.
- For asynchronous handlers:// Async handler var twistlock = require('./twistlock'); exports.handler = async (event, context) => { . . . }; exports.handler = twistlock.asyncHandler(exports.handler);For synchronous handlers:// Non-async handler var twistlock = require('./twistlock'); exports.handler = (event, context, callback) => { . . . }; exports.handler = twistlock.handler(exports.handler);
- Generate the value for the TW_POLICY environment variable by specifying your function’s name and region.IfAnyis selected for region, only policies that contain*in the region label will be matched.Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.Copy the value generated for TW_POLICY, and set it aside.
- Prisma Cloud Serverless Defender includes native node.js libraries. If you are using webpack, please refer to tools such as native-addon-loader to make sure these libraries are included in the function ZIP file.
- Open Compute Console, and go toManage > Defenders > Deployed Defenders > Manual deploy > Single Defender.
- Choose the DNS name or IP address Serverless Defender uses to connect to Console.
- InChoose Defender type, selectServerless.
- InRuntime, selectPython.
- Download the Serverless Defender package to your workstation.
- Unzip the Serverless Defender bundle into your working directory.
- Embed the serverless Defender into the function by importing the Prisma Cloud library and wrapping the function’s handler.import twistlock.serverless @twistlock.serverless.handler def handler(event, context): . . .Generate the value for the TW_POLICY environment variable by specifying your function’s name and region.IfAnyis selected for region, only policies that contain*in the region label will be matched.Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.Copy the value generated for TW_POLICY, and set it aside.
- Open Compute Console, and go toManage > Defenders > Deployed Defenders > Manual deploy > Single Defender.
- Choose the DNS name or IP address Serverless Defender uses to connect to Console.
- InChoose Defender type, selectServerless.
- InRuntime, selectRuby.
- Download the Serverless Defender package to your workstation.
- Unzip the Serverless Defender bundle into your working directory.
- Embed the serverless Defender into the function by importing the Prisma Cloud library and wrapping the function’s handler.
- Option 1:require_relative './twistlock/twistlock' def handler(event:, context:) Twistlock.handler(event: event, context: context) { |event:, context:| # Original handler ... } end . . .Option 2:require_relative './twistlock/twistlock' # Handler as a class method module Module1 class Class1 def self.original_handler(event:, context:) ... end def self.protected_handler(event:, context:) return Twistlock.handler(event: event, context: context, &method(:original_handler)) end end end . . .
- Generate the value for the TW_POLICY environment variable by specifying your function’s name and region.IfAnyis selected for region, only policies that contain*in the region label will be matched.Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.Copy the value generated for TW_POLICY, and set it aside.
- Upload the new ZIP file to AWS.
- InDesigner, select your function so that you can view the function code.
- UnderCode entry type, selectUpload a .ZIP file.
- Specify a runtime and the handler.Validate thatRuntimeis a supported runtime, and thatHandlerpoints to the function’s entry point.
- ClickUpload.
- ClickSave.
- Set the TW_POLICY environment variable.
- In Designer, open the environment variables panel.
- For Key, enter TW_POLICY.
- For Value, paste the rule you copied from Compute Console.
- Click Save.
- Open Compute Console, and go toManage > Defenders > Deployed Defenders > Manual deploy > Single Defender.
- Choose the DNS name or IP address Serverless Defender uses to connect to Console.
- InChoose Defender type, selectServerless Defender - Azure.
- InRuntime, selectC#.
- Download the Serverless Defender package to your workstation.
- Unzip the Serverless Defender bundle into your working directory.
- Embed the serverless Defender into the function by importing the Prisma Cloud library and wrapping the function’s handler.Function input and output can be a struct or a stream. Functions can be synchronous or asynchronous. The context parameter is optional in .NET, so it can be omitted.using Twistlock; public class ... { // Original handler public static async Task<IActionResult> Run( [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req, ILogger log, ExecutionContext context) { Twistlock.Serverless.Init(log, context); ... } }Add the Twistlock package as a dependency in your nuget.config file.If a nuget.config file doesn’t exist, create one.<configuration> <packageSources> <add key="local-packages" value="./twistlock"/> </packageSources> </configuration>Reference the Twistlock package in your project configuration file.<Project> <ItemGroup> <PackageReference Include="Twistlock" Version="22.04.147" /> <TwistlockFiles Include="twistlock\*" Exclude="twistlock\twistlock.22.04.147.nupkg"/> </ItemGroup> <ItemGroup> <None Include="@(TwistlockFiles)" CopyToOutputDirectory="Always" LinkBase="twistlock\" /> </ItemGroup> ... </Project>Generate the value for the TW_POLICY environment variable by specifying your function’s name and region.IfAnyis selected for region, only policies that contain a wildcard in the region label will be matched.Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.Copy the value generated for TW_POLICY, and set it aside.Upload the protected function to Azure, and set the TW_POLICY environment variable.Defining your runtime protection policyBy default, Prisma Cloud ships with an empty serverless runtime policy. An empty policy disables runtime defense entirely.You can enable runtime defense by creating a rule. By default, new rules:
- Apply to all functions (*), but you can target them to specific functions by function name.
- Block all processes from running except the main process. This protects against command injection attacks.
When functions are invoked, they connect to Compute Console and retrieve the latest policy. To ensure that functions start executing at time=0 with your custom policy, predefine the policy. Predefined policy is embedded into your function along with the Serverless Defender by way of the TW_POLICY environment variable.- Log into Prisma Cloud Console.
- Go toDefend > Runtime > Serverless Policy.
- ClickAdd rule.
- In theGeneraltab, enter a rule name.
- (Optional) Target the rule to specific functions.Use collections to scope functions by name or region (label). Pattern matching is supported. For Azure Functions only, you can additionally scope rules by account ID.
- Set the rule parameters in theProcesses,Networking, andFile Systemtabs.
- ClickSave.
Defining your serverless WAAS policyPrisma Cloud lets you protect your serverless functions against application layer attacks by utilizing the serverless Web Application and API Security (WAAS).By default, the serverless WAAS is disabled. To enable it, add a new serverless WAAS rule.- Log into Prisma Cloud Console.
- Go toDefend > WAAS > Serverless.
- ClickAdd rule.
- In theGeneraltab, enter a rule name.
- (Optional) Target the rule to specific functions.Use collections to scope functions by name or region (label). Pattern matching is supported. For Azure Functions only, you can additionally scope rules by account ID.
- Set the protections you want to apply (SQLi,CMDi,Code injection,XSS,LFI).
- ClickSave.
AWS Lambda - Embed Serverless Defender into Python functionsImport the Serverless Defender module, and configure your function to invoke it. Prisma Cloud supports Python 3.6, 3.7, and 3.8.AWS Lambda - Embed Serverless Defender into Ruby functionsImport the Serverless Defender module, and configure your function to invoke it. Prisma Cloud supports Ruby 2.7.AWS Lambda - Upload the protected functionAfter embedding Serverless Defender into your function, upload it to AWS. If you are using a deployment framework such as SAM or Serverless Framework just deploy the function with your standard deployment procedure. If you are using AWS directly, follow the steps below:Azure Functions - Embed Serverless Defender into C# functionsIn your function code, import the Serverless Defender library and create a new protected handler that wraps the original handler. The protected handler will be called by Azure when your function is invoked. Update the project configuration file to add Prisma Cloud dependencies and package references.Prisma Cloud supports .NET Core 3.1, 6.0 on Windows. 64 bit only.