Serverless function scanning

Prisma Cloud can scan serverless functions for vulnerabilities. Prisma Cloud supports AWS Lambda, Google Cloud Functions, and Azure Functions.
Serverless computing is an execution model in which a cloud provider dynamically manages the allocation of machine resources and schedules the execution of functions provided by users. Serverless architectures delegate the operational responsibilities, along with many security concerns, to the cloud provider. This new model raises new security concerns, while some familiar old concerns still apply. In particular, your app itself is still prone to attack. The vulnerabilities in your code and associated dependencies are the footholds attackers use to compromise an app. Prisma Cloud can show you a function’s dependencies, and surface the vulnerabilities in those dependent components.

Capabilities

For serverless, Prisma Cloud can scan Node.js, Python, and Java packages. There is currently no support for AWS or Azure C# functions.
Prisma Cloud scans are triggered by the following events:
  • When the settings change, including when new functions are added for scanning.
  • When you explicitly click the
    Scan
    button in the
    Monitor > Vulnerabilities > Functions
    page.
  • Periodically. By default, Prisma Cloud rescans serverless functions every 24 hours, but you can configure a custom interval in
    Manage > System > Scan
    .

Scanning a serverless function

Configure Prisma Cloud to periodically scan your serverless functions. Unlike image scanning, all function scanning is handled by Console.
  1. Open Console.
  2. Go to
    Defend > Vulnerabilities > Functions
    .
  3. Click
    Add serverless account
    .
  4. In the dialog, enter the following settings:
    1. In
      Provider
      , select your cloud platform.
    2. Specify a Region.
    3. Specify a function name.
      Wildcards are supported. See the table at the top of the page for the supported syntax and examples.
    4. Select or create credentials so that Prisma Cloud can access your account.
      • AWS — Specify either an IAM user credential (access key ID and secret access key) or IAM role.
      • Google — Specify a service key.
      • Azure — Specify a user access token.
    5. Specify a cap for the number of functions to scan.
      Prisma Cloud scans the X most recent functions, where X is the cap value.
    6. Click
      Add
      .
  5. Click the yellow save button.
    save_button.png
  6. View the scan report. Go to
    Monitor > Vulnerabilities > Functions
    .

Authenticating with AWS

The serverless scanner is implemented as part of Console. The scanner requires the
AWSLambdaReadOnlyAccess
permissions policy.
If authenticating with an IAM user, use the Security Token Service (STS) to temporarily issue security credentials to Prisma Cloud to scan your Lambda functions. AWS STS is considered a best practice per the AWS Well-Architected Framework.
When authenticating with an IAM user, Console can access and scan functions across multiple regions. The following dialog shows Console set up to scan Lambda functions using an IAM user with STS. The user credentials (access key ID and secret access key) were previously entered in the Prisma Cloud credentials store, and the role with the
AWSLambdaReadOnlyAccess
permissions policy was already created in AWS.
serverless_iam_user_with_sts.png
The Prisma Cloud serverless scanner can also authenticate with AWS using an IAM role. If Console authenticates with AWS using an IAM role, it can only scan the functions in the region where the EC2 instance is deployed. The following dialog shows Console set up to scan Lambda functions using an IAM role:
serverless_iam_role.png

Scanning Azure Functions

Azure Functions are architected differently than AWS Lambda and Google Cloud Functions. Azure function apps can hold multiple functions. The functions are not segregated from each other. They share the same file system. Rather than separately scanning each function in a function app, download the root directory of the function app, which contains all its functions, and scan them as a bundle.
To do this, you must know the Region, Name (of the function), and Service Key. To get the Service Key, download and install the Azure CLI, then:
  1. Log into your account with a user that has the User Account Administrator role.
    $ az login
  2. Get the service key.
    $ az ad sp create-for-rbac --sdk-auth --name twistlock-azure-serverless-scanning --role contributor
    Sample output from the previous command:
    { "clientId": "f8e9de2o-45bd-af94-ae11-b9r8c5tfy3b6", "clientSecret": "4dfds482-6sdd-4dsb-b5ff-56123043c4dc", "subscriptionId": "ea19322m-z2bd-501c-dd11-234m547a944e", "tenantId": "c189c61a-6c27-41c3-9949-ca5c8cc4a624", "activeDirectoryEndpointUrl": "https://login.microsoftonline.com", "resourceManagerEndpointUrl": "https://management.azure.com/", "activeDirectoryGraphResourceId": "https://graph.windows.net/", "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/", "galleryEndpointUrl": "https://gallery.azure.com/", "managementEndpointUrl": "https://management.core.windows.net/" }
  3. Copy the JSON output, which is your secret key, and paste it into the
    Service Key
    field for your Azure credentials in Prisma Cloud Console.

Scanning functions with twistcli

You can also use the
twistcli
command line utility to scan your serverless functions. First download your serverless function as a ZIP file, then run:
Scan reports can viewed in Prisma Cloud Console, but only when you pass the
--ci
and the
--publish
flag to
twistcli
.
These flags are designed to minimize clutter in the Console UI, since many people might be using`twistcli` for scanning, but everyone will need to share it with the larger team in Console.
To view scan reports in Console, go to
Monitor > Vulnerabilities > Functions > CI
or
Monitor > Compliance > Functions > CI
.
$ twistcli serverless scan <SERVERLESS_FUNCTION.ZIP>

Recommended For You