1. Overview

Serverless Defender protects serverless functions at runtime. It monitors your functions to ensure they execute as designed.

Per-function policies let you control:

  • Process activity. Enables verification of launched subprocesses against policy.

  • Network connections. Enables verification of inbound and outbound connections, and permits outbound connections to explicitly allowed domains.

  • File system activity. Controls which parts of the file system functions can access.

Currently, Prisma Cloud supports AWS Lambda functions. The following runtimes are supported:

  • C# (.NET Core 2.1)

  • Java 8

  • Node.js 10.x

  • Python 2.7, 3.6, and 3.7

Currently, only users with the Administrator role can see the list of deployed Serverless Defenders in Manage > Defenders > Manage.

2. Securing serverless functions

To secure an AWS Lambda function, embed the Prisma Cloud Serverless Defender into it. The steps are:

  1. (Optional) If you are not using a deployment framework like SAM or Serverless Framework, download a ZIP file that contains your function source code and dependencies.

  2. Embed the Serverless Defender into the function.

  3. Deploy the new function or upload the updated ZIP file to AWS.

  4. Define a serverless protection runtime policy.

  5. Define a serverless WAAS policy.

3. (Optional) Download your function as a ZIP file

Download your function’s source code from AWS as a ZIP file.

  1. From Lambda’s code editor, click Actions > Export function.

  2. Click Download deployment package.

    Your function is downloaded to your host as a ZIP file.

  3. Create a working directory, and unpack the ZIP file there.

    In the next step, you’ll download the Serverless Defender files to this working directory.

4. Embed Serverless Defender into C# functions

In your function code, import the Serverless Defender library and create a new protected handler that wraps the original handler. The protected handler will be called by AWS when your function is invoked. Update the project configuration file to add Prisma Cloud dependencies and package references.

Prisma Cloud supports .NET Core 2.1.

  1. Open Compute Console, and go to Manage > Defenders > Deploy > Single Defender.

  2. Choose the DNS name or IP address Serverless Defender uses to connect to Console.

  3. In Choose Defender type, select Serverless.

  4. In Runtime, select C#.

  5. Download the Serverless Defender package to your workstation.

  6. Unzip the Serverless Defender bundle into your working directory.

  7. Embed the serverless Defender into the function by importing the Prisma Cloud library and wrapping the function’s handler.

    Function input and output can be a struct or a stream. Functions can be synchronous or asynchronous. The context parameter is optional in .NET, so it can be omitted.

      using Twistlock;
    
      public class ... {
          // Original handler
          public ApplicationLoadBalancerResponse Handler(ApplicationLoadBalancerRequest request, ILambdaContext context)
          {
            ...
          }
    
          // Application load balancer example
          // Twistlock protected handler
          public ApplicationLoadBalancerResponse ProtectedHandler(ApplicationLoadBalancerRequest request, ILambdaContext context)
          {
              return Twistlock.Serverless.Handler<ApplicationLoadBalancerRequest, ApplicationLoadBalancerResponse>(Handler, request, context);
          }
          ...
      }
  8. Add the Twistlock package as a dependency in your nuget.config file.

    If a nuget.config file doesn’t exist, create one.

    <configuration>
      <packageSources>
        <add key="local-packages" value="./twistlock"/>
      </packageSources>
    </configuration>
  9. Reference the Twistlock package in your csproj file.

    <Project>
      <ItemGroup>
        <PackageReference Include="Twistlock" Version="19.11.462"/>
        <TwistlockFiles Include="twistlock/*" Exclude="twistlock/twistlock.19.11.462.nupkg"/>
      </ItemGroup>
      <Target Name="CopyCustomContentOnPublish" AfterTargets="Publish">
        <Copy SourceFiles="@(TwistlockFiles)" DestinationFolder="$(PublishDir)/twistlock"/>
      </Target>
      .
      .
      .
    </Project>
  10. Generate the value for the TW_POLICY environment variable by specifying your function’s name.

    Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.

    Copy the value generated for TW_POLICY, and set it aside.

  11. Upload the protected function to AWS, and set the TW_POLICY environment variable.

5. Embed Serverless Defender into Java functions

To embed Serverless Defender, import the Twistlock package and update your code to start Serverless Defender as soon as the function is invoked. Prisma Cloud supports both Maven and Gradle projects. You’ll also need to update your project metadata to include Serverless Defender dependencies.

Prisma Cloud supports both predefined interfaces in the AWS Lambda Java core library: RequestStreamHandler (where input must be serialized JSON) and RequestHandler.

AWS lets you specify handlers as functions or classes. In both cases, Twistlock.Handler(), the entry point to Serverless Defender, assumes the entry point to your code is named handleRequest. After embedding Serverless Defender, update the name of the handler registered with AWS to be the wrapper method that calls Twistlock.Handler() (for example, protectedHandler).

Prisma Cloud supports both service struct and stream input (serialized struct). Even though the Context parameter is optional for unprotected functions, it’s manadatory when embedding Serverless Defender.

Prisma Cloud supports Java 8.

  1. Open Compute Console, and go to Manage > Defenders > Deploy > Single Defender.

  2. Choose the DNS name or IP address Serverless Defender uses to connect to Console.

  3. In Choose Defender type, select Serverless.

  4. In Runtime, select Java.

  5. In Package, select Maven or Gradle.

    The steps for embedding Serverless Defender differ depending on the build tool.

  6. Download the Serverless Defender package to your workstation.

  7. Unzip the Serverless Defender bundle into your working directory.

  8. Embed Serverless Defender into your function by importing the Prisma Cloud package and wrapping the function’s handler.

    import com.twistlock.serverless.Twistlock;
    
    public class ... implements RequestHandler<APIGatewayProxyRequestEvent, APIGatewayProxyResponseEvent> {
    
      // Original handler
      @Override
      public APIGatewayProxyResponseEvent handleRequest(APIGatewayProxyRequestEvent request, Context context) {
      {
        ...
      }
    
      // RequestHandler example
      // Twistlock protected handler
      public APIGatewayProxyResponseEvent protectedHandler(APIGatewayProxyRequestEvent request, Context context) {
        return Twistlock.Handler(this, request, context);
      }
      ...
    }
    ...
  9. Update your project configuration file.

    1. Maven

      Update your pom.xml file. Don’t create new sections for the Prisma Cloud configurations. Just update existing sections. For example, don’t create a new <plugins> section if one exists already. Just append a <plugin> section to it.

      Add the assembly plugin to include the Twistlock package in the final function JAR. Usually the shade plugin is used in AWS to include packages to standalone JARs, but it doesn’t let you include local system packages.

      <project>
        <build>
          <!-- Add assembly plugin to create a standalone jar that contains Twistlock library -->
          <plugins>
            <plugin>
              <artifactId>maven-assembly-plugin</artifactId>
              <configuration>
                <appendAssemblyId>false</appendAssemblyId>
                <descriptors>
                  <descriptor>assembly.xml</descriptor>
                </descriptors>
              </configuration>
              <executions>
                <execution>
                 <id>make-assembly</id>
                 <phase>package</phase>
                 <goals>
                  <goal>attached</goal>
                 </goals>
                </execution>
              </executions>
            </plugin>
            ...
          </plugins>
        <!-- Add Twistlock resources -->
        <resources>
          <resource>
            <directory>${project.basedir}</directory>
            <includes>
              <include>twistlock/*</include>
              </includes>
            <excludes>
              <exclude>twistlock/*.jar</exclude>
            </excludes>
          </resource>
          ...
        </resources>
        ...
      </build>
        <!-- Add Twistlock package reference -->
        <dependencies>
          <dependency>
            <groupId>com.twistlock.serverless</groupId>
            <artifactId>twistlock</artifactId>
            <version>19.11.462</version>
            <scope>system</scope>
            <systemPath>${project.basedir}/twistlock/twistlock-19.11.462.jar</systemPath>
          </dependency>
          ...
        </dependencies>
        ...
      </project>
    2. Create an assembly.xml file, which packs all dependencies in a standalone JAR.

      <assembly>
        <id>twistlock-protected</id>
        <formats>
          <format>jar</format>
        </formats>
        <includeBaseDirectory>false</includeBaseDirectory>
        <dependencySets>
          <!-- Unpack runtime dependencies into runtime jar -->
          <dependencySet>
            <unpack>true</unpack>
            <scope>runtime</scope>
          </dependencySet>
          <!-- Unpack local system dependencies into runtime jar -->
          <dependencySet>
            <unpack>true</unpack>
            <scope>system</scope>
          </dependencySet>
        </dependencySets>
      </assembly>
  10. Gradle

    Update your build.gradle file.

    1. Add Twistlock package reference in the project configuration file i.e build.gradle

      dependencies {
          compile (
              files('twistlock/twistlock-19.11.462.jar')
          )
      }
      
      task buildZip(type: Zip) {
          from compileJava
          from processResources
          into('lib') {
              from configurations.runtimeClasspath
          }
          // Include Twistlock dependencies
          into ('twistlock') {
              from 'twistlock'
              exclude "*.jar"
          }
      }
      
      build.dependsOn buildZip
  11. In AWS, set the name of the Lambda handler for your function to protectedHandler.

  12. Generate the value for the TW_POLICY environment variable by specifying your function’s name.

    Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.

    Copy the value generated for TW_POLICY, and set it aside.

  13. Upload the protected function to AWS, and set the TW_POLICY environment variable.

6. Embed Serverless Defender into Node.js functions

Import the Serverless Defender module, and configure your function to start it. Prisma Cloud supports Node.js 10.x.

  1. Open Compute Console, and go to Manage > Defenders > Deploy > Single Defender.

  2. Choose the DNS name or IP address Serverless Defender uses to connect to Console.

  3. In Choose Defender type, select Serverless.

  4. In Runtime, select Node.js.

  5. Download the Serverless Defender package to your workstation.

  6. Unzip the Serverless Defender bundle into your working directory.

  7. Embed the serverless Defender into the function by importing the Prisma Cloud library and wrapping the function’s handler.

    1. For asynchronous handlers:

      // Async handler
      var twistlock = require('./twistlock');
      exports.handler = async (event, context) => {
      .
      .
      .
      };
      exports.handler = twistlock.asyncHandler(exports.handler);
    2. For synchronous handlers:

      // Non-async handler
      var twistlock = require('./twistlock');
      exports.handler = (event, context, callback) => {
      .
      .
      .
      };
      exports.handler = twistlock.handler(exports.handler);
  8. Generate the value for the TW_POLICY environment variable by specifying your function’s name.

    Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.

    Copy the value generated for TW_POLICY, and set it aside.

  9. Upload the protected function to AWS, and set the TW_POLICY environment variable.

7. Embed Serverless Defender into Python functions

Import the Serverless Defender module, and configure your function to invoke it. Prisma Cloud supports Python 2.7, 3.6, and 3.7.

  1. Open Compute Console, and go to Manage > Defenders > Deploy > Single Defender.

  2. Choose the DNS name or IP address Serverless Defender uses to connect to Console.

  3. In Choose Defender type, select Serverless.

  4. In Runtime, select Python.

  5. Download the Serverless Defender package to your workstation.

  6. Unzip the Serverless Defender bundle into your working directory.

  7. Embed the serverless Defender into the function by importing the Prisma Cloud library and wrapping the function’s handler.

    import twistlock.serverless
    @twistlock.serverless.handler
    def handler(event, context):
    .
    .
    .
  8. Generate the value for the TW_POLICY environment variable by specifying your function’s name.

    Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve policy and send audits.

    Copy the value generated for TW_POLICY, and set it aside.

  9. Upload the protected function to AWS, and set the TW_POLICY environment variable.

    • Prisma Cloud Serverless Defender includes native node.js libraries. If you are using webpack, please refer to tools such as native-addon-loader to make sure these libraries are included in the function ZIP file.

8. Upload the protected function to AWS

After embedding Serverless Defender into your function, upload it to AWS. If you are using a deployment framework such as SAM or Serverless Framework just deploy the function with your standard deployment procedure. If you are using AWS directly, follow the steps below:

  1. Upload the new ZIP file to AWS.

    1. In Designer, select your function so that you can view the function code.

    2. Under Code entry type, select Upload a .ZIP file.

    3. Specify a runtime and the handler.

      Validate that Runtime is a supported runtime, and that Handler points to the function’s entry point.

    4. Click Upload.

      install serverless defender upload zip
    5. Click Save.

  2. Set the TW_POLICY environment variable.

    1. In Designer, open the environment variables panel.

    2. For Key, enter TW_POLICY.

    3. For Value, paste the rule you copied from Compute Console.

    4. Click Save.

9. Defining your runtime protection policy

Prisma Cloud ships with a default runtime policy for all serverless functions that blocks all processes from running except the main process. This default policy protects against command injection attacks.

You can customize the policy with additional rules. By default, new rules apply to all functions (*), but you can target them to specific functions by function name.

When functions are invoked, they connect to Compute Console and retrieve the latest policy. To ensure that functions start executing at time=0 with your custom policy, you must predefine the policy. Predefined policy is embedded into your function along with the Serverless Defender by way of the TW_POLICY environment variable.

  1. Log into Prisma Cloud Console.

  2. Go to Defend > Runtime > Serverless Policy.

  3. Click Add rule.

  4. In the General tab, enter a rule name.

  5. (Optional) Target the rule to specific functions.

    In Functions, enter a function name. Use pattern matching to refine how the rule is applied.

  6. Set the rule parameters in the Processes, Networking, and File System tabs.

  7. Click Save.

10. Defining your serverless WAAS policy

Prisma Cloud lets you protect your serverless functions against application layer attacks by utlizing the serverless Web Application and API Security (WAAS).

By default, the serverless WAAS is disabled. To enable it, add a new serverless WAAS rule.

  1. Log into Prisma Cloud Console.

  2. Go to Defend > Firewalls > Cloud Native Application Firewall > Serverless.

  3. Click Add rule.

  4. In the General tab, enter a rule name.

  5. (Optional) Target the rule to specific functions.

    In Functions, enter a function name. Use pattern matching to refine how the rule is applied.

  6. Set the protections you want to apply (SQLi, CMDi, Code injection, XSS, LFI).

  7. Click Save.