Serverless Defender

Serverless Defender protects serverless functions at runtime. It monitors your functions to ensure they execute as designed.
Per-function policies let you control:
  • Process activity. Enables verification of launched subprocesses against policy.
  • Network connections. Enables verification of inbound and outbound connections, and permits outbound connections to explicitly allowed domains.
  • File system activity. Controls which parts of the file system functions can access.
Prisma Cloud supports AWS Lambda functions (Linux) and Azure Functions (Windows only).
See system requirements for the runtimes and architectures that are supported for Serverless Defenders.
The following runtimes are supported for AWS Lambda:
  • C# (.NET Core) 6.0
  • Java 8, 11
  • Node.js 12.x, 14.x, 16.x, 18.x
  • Python 3.6, 3.7, 3.8, 3.9
  • Ruby 2.7
Serverless Defenders are not supported on ARM64 architecture.
The following runtimes are supported for Azure Functions (Windows and 64 bit only):
  • v3 - C# (.NET Core) 3.1
  • v4 - C# (.NET Core) 6.0
Only users with the Administrator role can see the list of deployed Serverless Defenders in
Manage > Defenders > Manage

Securing serverless functions

To secure a serverless function, embed the Prisma Cloud Serverless Defender into it. The steps are:
  1. (Optional) If you are not using a deployment framework like SAM or Serverless Framework, download a ZIP file that contains your function source code and dependencies.
  2. Embed the Serverless Defender into the function.
  3. Deploy the new function or upload the updated ZIP file to the cloud provider.
  4. Define a serverless protection runtime policy.
  5. Define a serverless WAAS policy.

AWS Lambda - (Optional) Download your function as a ZIP file

Download your function’s source code from AWS as a ZIP file.
  1. From Lambda’s code editor, click
    Actions > Export function
  2. Click
    Download deployment package
    Your function is downloaded to your host as a ZIP file.
  3. Create a working directory, and unpack the ZIP file there.
    In the next step, you’ll download the Serverless Defender files to this working directory.

AWS Lambda - Embed Serverless Defender into C# functions

In your function code, import the Serverless Defender library and create a new protected handler that wraps the original handler. The protected handler will be called by AWS when your function is invoked. Update the project configuration file to add Prisma Cloud dependencies and package references.
Prisma Cloud supports .NET Core 3.1, 6.0.
  1. Open Compute Console, and go to
    Manage > Defenders > Deployed Defenders > Manual deploy > Single Defender
  2. In
    Choose Defender type
    , select
    Serverless Defender - AWS
  3. The DNS name Serverless Defender uses to connect to your Compute Console is prepopulated for you.
  4. In
    , select
  5. Download the Serverless Defender package to your workstation.
  6. Unzip the Serverless Defender bundle into your working directory.
  7. Embed the serverless Defender into the function by importing the Prisma Cloud library and wrapping the function’s handler.
    Function input and output can be a struct or a stream. Functions can be synchronous or asynchronous. The context parameter is optional in .NET, so it can be omitted.
    using Twistlock; public class ... { // Original handler public ApplicationLoadBalancerResponse Handler(ApplicationLoadBalancerRequest request, ILambdaContext context) { ... } // Application load balancer example // Twistlock protected handler public ApplicationLoadBalancerResponse ProtectedHandler(ApplicationLoadBalancerRequest request, ILambdaContext context) { return Twistlock.Serverless.Handler<ApplicationLoadBalancerRequest, ApplicationLoadBalancerResponse>(Handler, request, context); } ... }
  8. Add the Twistlock package as a dependency in your nuget.config file.
    If a nuget.config file doesn’t exist, create one.
    <configuration> <packageSources> <add key="local-packages" value="./twistlock"/> </packageSources> </configuration>