Serverless Defender

Serverless Defender protects serverless functions at runtime. It monitors your functions to ensure they execute as designed.
Per-function policies let you control:
  • Process activity. Enables verification of launched subprocesses against policy.
  • Network connections. Enables verification of inbound and outbound connections, and whitelisting of outbound connections to explicitly allowed domains.
  • File system activity. Controls which parts of the file system functions can access.
Currently, Prisma Cloud supports AWS Lambda functions. The following runtimes are supported:
  • C# (.NET Core 2.1)
  • Java 8
  • Node.js 10.x
  • Python 2.7, 3.6, and 3.7
Currently, only users with the Administrator role can see the list of deployed Serverless Defenders in
Manage > Defenders > Manage
.

Securing serverless functions

To secure an AWS Lambda function, embed the Prisma Cloud Serverless Defender into it. The steps are:
  1. (Optional) If you are not using a deployment framework like SAM or Serverless Framework, download a ZIP file that contains your function source code and dependencies.
  2. Embed the Serverless Defender into the function.
  3. Deploy the new function or upload the updated ZIP file to AWS.
  4. Define a serverless protection runtime policy.
  5. Define a serverless CNAF policy.

(Optional) Download your function as a ZIP file

Download your function’s source code from AWS as a ZIP file.
  1. From Lambda’s code editor, click
    Actions > Export function
    .
  2. Click
    Download deployment package
    .
    Your function is downloaded to your host as a ZIP file.
  3. Create a working directory, and unpack the ZIP file there.
    In the next step, you’ll download the Serverless Defender files to this working directory.

Embed Serverless Defender into C# functions

In your function code, import the Serverless Defender library and create a new protected handler that wraps the original handler. The protected handler will be called by AWS when your function is invoked. Update the project configuration file to add Prisma Cloud dependencies and package references.
Prisma Cloud supports .NET Core 2.1.
  1. Open Compute Console, and go to
    Manage > Defenders > Deploy > Single Defender
    .
  2. The DNS name Serverless Defender uses to connect to your Compute Console is prepopulated for you.
  3. In
    Choose Defender type
    , select
    Serverless
    .
  4. In
    Runtime
    , select
    C#
    .
  5. Download the Serverless Defender package to your workstation.
  6. Unzip the Serverless Defender bundle into your working directory.
  7. Embed the serverless Defender into the function by importing the Prisma Cloud library and wrapping the function’s handler.
    Function input and output can be a struct or a stream. Functions can be synchronous or asynchronous. The context parameter is optional in .NET, so it can be omitted.
    using Twistlock; public class ... { // Original handler public ApplicationLoadBalancerResponse Handler(ApplicationLoadBalancerRequest request, ILambdaContext context) { ... } // Application load balancer example // Twistlock protected handler public ApplicationLoadBalancerResponse ProtectedHandler(ApplicationLoadBalancerRequest request, ILambdaContext context) { return Twistlock.Serverless.Handler<ApplicationLoadBalancerRequest, ApplicationLoadBalancerResponse>(Handler, request, context); } ... }
  8. Add the Twistlock package as a dependency in your nuget.config file.
    If a nuget.config file doesn’t exist, create one.
    <configuration> <packageSources> <add key="local-packages" value="./twistlock"/> </packageSources> </configuration>
  9. Reference the Twistlock package in your csproj file.
    <Project> <ItemGroup> <PackageReference Include="Twistlock" Version="19.11.462"/> <TwistlockFiles Include="twistlock/*" Exclude="twistlock/twistlock.19.11.462.nupkg"/> </ItemGroup> <Target Name="CopyCustomContentOnPublish" AfterTargets="Publish"> <Copy SourceFiles="@(TwistlockFiles)" DestinationFolder="$(PublishDir)/twistlock"/> </Target> . . . </Project>
  10. Generate the value for the TW_POLICY environment variable by specifying your function’s name.
    Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.
    Copy the value generated for TW_POLICY, and set it aside.

Embed Serverless Defender into Java functions

To embed Serverless Defender, import the Twistlock package and update your code to start Serverless Defender as soon as the function is invoked. Prisma Cloud supports both Maven and Gradle projects. You’ll also need to update your project metadata to include Serverless Defender dependencies.
Prisma Cloud supports both predefined interfaces in the AWS Lambda Java core library: RequestStreamHandler (where input must be serialized JSON) and RequestHandler.
AWS lets you specify handlers as functions or classes. In both cases, Twistlock.Handler(), the entry point to Serverless Defender, assumes the entry point to your code is named handleRequest. After embedding Serverless Defender, update the name of the handler registered with AWS to be the wrapper method that calls Twistlock.Handler() (for example, protectedHandler).
Prisma Cloud supports both service struct and stream input (serialized struct). Even though the Context parameter is optional for unprotected functions, it’s manadatory when embedding Serverless Defender.
Prisma Cloud supports Java 8.
  1. Open Compute Console, and go to
    Manage > Defenders > Deploy > Single Defender
    .
  2. The DNS name Serverless Defender uses to connect to your Compute Console is prepopulated for you.
  3. In
    Choose Defender type
    , select
    Serverless
    .
  4. In
    Runtime
    , select
    Java
    .
  5. In
    Package
    , select
    Maven
    or
    Gradle
    .
    The steps for embedding Serverless Defender differ depending on the build tool.
  6. Download the Serverless Defender package to your workstation.
  7. Unzip the Serverless Defender bundle into your working directory.
  8. Embed Serverless Defender into your function by importing the Prisma Cloud package and wrapping the function’s handler.
    import com.twistlock.serverless.Twistlock; public class ... implements RequestHandler<APIGatewayProxyRequestEvent, APIGatewayProxyResponseEvent> { // Original handler @Override public APIGatewayProxyResponseEvent handleRequest(APIGatewayProxyRequestEvent request, Context context) { { ... } // RequestHandler example // Twistlock protected handler public APIGatewayProxyResponseEvent protectedHandler(APIGatewayProxyRequestEvent request, Context context) { return Twistlock.Handler(this, request, context); } ... } ...
  9. Update your project configuration file.
    1. Maven
      Update your pom.xml file. Don’t create new sections for the Prisma Cloud configurations. Just update existing sections. For example, don’t create a new <plugins> section if one exists already. Just append a <plugin> section to it.
      Add the assembly plugin to include the Twistlock package in the final function JAR. Usually the shade plugin is used in AWS to include packages to standalone JARs, but it doesn’t let you include local system packages.
      <project> <build> <!-- Add assembly plugin to create a standalone jar that contains Twistlock library --> <plugins> <plugin> <artifactId>maven-assembly-plugin</artifactId> <configuration> <appendAssemblyId>false</appendAssemblyId> <descriptors> <descriptor>assembly.xml</descriptor> </descriptors> </configuration> <executions> <execution> <id>make-assembly</id> <phase>package</phase> <goals> <goal>attached</goal> </goals> </execution> </executions> </plugin> ... </plugins>
      <!-- Add Twistlock resources --> <resources> <resource> <directory>${project.basedir}</directory> <includes> <include>twistlock/*</include> </includes> <excludes> <exclude>twistlock/*.jar</exclude> </excludes> </resource> ... </resources> ... </build>
      <!-- Add Twistlock package reference --> <dependencies> <dependency> <groupId>com.twistlock.serverless</groupId> <artifactId>twistlock</artifactId> <version>19.11.462</version> <scope>system</scope> <systemPath>${project.basedir}/twistlock/twistlock-19.11.462.jar</systemPath> </dependency> ... </dependencies> ... </project>
    2. Create an assembly.xml file, which packs all dependencies in a standalone JAR.
      <assembly> <id>twistlock-protected</id> <formats> <format>jar</format> </formats> <includeBaseDirectory>false</includeBaseDirectory> <dependencySets> <!-- Unpack runtime dependencies into runtime jar --> <dependencySet> <unpack>true</unpack> <scope>runtime</scope> </dependencySet> <!-- Unpack local system dependencies into runtime jar --> <dependencySet> <unpack>true</unpack> <scope>system</scope> </dependencySet> </dependencySets> </assembly>
  10. Gradle
    Update your build.gradle file.
    1. Add Twistlock package reference in the project configuration file i.e build.gradle
      dependencies { compile ( files('twistlock/twistlock-19.11.462.jar') ) } task buildZip(type: Zip) { from compileJava from processResources into('lib') { from configurations.runtimeClasspath } // Include Twistlock dependencies into ('twistlock') { from 'twistlock' exclude "*.jar" } } build.dependsOn buildZip
  11. In AWS, set the name of the Lambda handler for your function to protectedHandler.
  12. Generate the value for the TW_POLICY environment variable by specifying your function’s name.
    Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.
    Copy the value generated for TW_POLICY, and set it aside.

Embed Serverless Defender into Node.js functions

Import the Serverless Defender module, and configure your function to start it. Prisma Cloud supports Node.js 10.x.
  1. Open Compute Console, and go to
    Manage > Defenders > Deploy > Single Defender
    .
  2. The DNS name Serverless Defender uses to connect to your Compute Console is prepopulated for you.
  3. In
    Choose Defender type
    , select
    Serverless
    .
  4. In
    Runtime
    , select
    Node.js
    .
  5. Download the Serverless Defender package to your workstation.
  6. Unzip the Serverless Defender bundle into your working directory.
  7. Embed the serverless Defender into the function by importing the Prisma Cloud library and wrapping the function’s handler.
    1. For asynchronous handlers:
      // Async handler var twistlock = require('./twistlock'); exports.handler = async (event, context) => { . . . }; exports.handler = twistlock.asyncHandler(exports.handler);
    2. For synchronous handlers:
      // Non-async handler var twistlock = require('./twistlock'); exports.handler = (event, context, callback) => { . . . }; exports.handler = twistlock.handler(exports.handler);
  8. Generate the value for the TW_POLICY environment variable by specifying your function’s name.
    Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.
    Copy the value generated for TW_POLICY, and set it aside.

Embed Serverless Defender into Python functions

Import the Serverless Defender module, and configure your function to invoke it. Prisma Cloud supports Python 2.7, 3.6, and 3.7.
  1. Open Compute Console, and go to
    Manage > Defenders > Deploy > Single Defender
    .
  2. The DNS name Serverless Defender uses to connect to your Compute Console is prepopulated for you.
  3. In
    Choose Defender type
    , select
    Serverless
    .
  4. In
    Runtime
    , select
    Python
    .
  5. Download the Serverless Defender package to your workstation.
  6. Unzip the Serverless Defender bundle into your working directory.
  7. Embed the serverless Defender into the function by importing the Prisma Cloud library and wrapping the function’s handler.
    import twistlock.serverless @twistlock.serverless.handler def handler(event, context): . . .
  8. Generate the value for the TW_POLICY environment variable by specifying your function’s name.
    Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.
    Copy the value generated for TW_POLICY, and set it aside.
    • Prisma Cloud Serverless Defender includes native node.js libraries. If you are using webpack, please refer to tools such as native-addon-loader to make sure these libraries are included in the function ZIP file.

Upload the protected function to AWS

After embedding Serverless Defender into your function, upload it to AWS. If you are using a deployment framework such as SAM or Serverless Framework just deploy the function with your standard deployment procedure. If you are using AWS directly, follow the steps below:
  1. Upload the new ZIP file to AWS.
    1. In
      Designer
      , select your function so that you can view the function code.
    2. Under
      Code entry type
      , select
      Upload a .ZIP file
      .
    3. Specify a runtime and the handler.
      Validate that
      Runtime
      is a supported runtime, and that
      Handler
      points to the function’s entry point.
    4. Click
      Upload
      .
      install_serverless_defender_upload_zip.png
    5. Click
      Save
      .
  2. Set the TW_POLICY environment variable.
    1. In Designer, open the environment variables panel.
    2. For Key, enter TW_POLICY.
    3. For Value, paste the rule you copied from Compute Console.
    4. Click Save.

Defining your runtime protection policy

Prisma Cloud ships with a default runtime policy for all serverless functions that blocks all processes from running except the main process. This default policy protects against command injection attacks.
You can customize the policy with additional rules. By default, new rules apply to all functions (
*
), but you can target them to specific functions by function name.
When functions are invoked, they connect to Compute Console and retrieve the latest policy. To ensure that functions start executing at time=0 with your custom policy, you must predefine the policy. Predefined policy is embedded into your function along with the Serverless Defender by way of the
TW_POLICY
environment variable.
  1. Log into Prisma Cloud Console.
  2. Go to
    Defend > Runtime > Serverless Policy
    .
  3. Click
    Add rule
    .
  4. In the
    General
    tab, enter a rule name.
  5. (Optional) Target the rule to specific functions.
    In
    Functions
    , enter a function name. Use pattern matching to refine how the rule is applied.
  6. Set the rule parameters in the
    Processes
    ,
    Networking
    , and
    File System
    tabs.
  7. Click
    Save
    .

Defining your serverless CNAF policy

Prisma Cloud lets you protect your serverless functions against application layer attacks by utlizing the serverless Cloud Native Application Firewall (CNAF).
By default, the serverless CNAF is disabled. To enable it, add a new serverless CNAF rule.
  1. Log into Prisma Cloud Console.
  2. Go to
    Defend > Firewalls > Cloud Native Application Firewall > Serverless
    .
  3. Click
    Add rule
    .
  4. In the
    General
    tab, enter a rule name.
  5. (Optional) Target the rule to specific functions.
    In
    Functions
    , enter a function name. Use pattern matching to refine how the rule is applied.
  6. Set the protections you want to apply (
    SQLi
    ,
    CMDi
    ,
    Code injection
    ,
    XSS
    ,
    LFI
    ).
  7. Click
    Save
    .

Recommended For You