1. Overview

Serverless Radar helps you to visualize and inspect the attack surface of the serverless functions in your environment. Although Prisma Cloud supports multiple serverless environments, currently serverless radar supports AWS Lambda only.

Serverless functions use different interconnect patterns than containers. Serverless apps are highly decomposed and interact with services using cloud provider-specific gateways, rather than directly with each other or through service meshes. Security teams can have difficulty conceptualizing these interactions, identifying which functions interface with which high value assets, and pinpointing unaccpetable exposure.

Even though cloud providers secure the underlying infrastructure that enables Functions as a Service (including isolating functions from each other), it’s still easy to deploy functions with vulnerabilities, insecure configurations, and overly permissive roles. The underlying platform might be secure, but sensitive data can still be lost when an insecure function with read access to an S3 bucket is compromised.

Prisma Cloud offers a serverless-specific view in Radar. Serverless Radar uses a three panel view to show the invocation methods for each function, the services they use, and the permissions granted to access those services.

2. Layout

Serverless Radar shows you how functions interface with other services in their environment.

serverless radar flow

The left-most column shows how functions are invoked. This is known as the trigger or event source. Triggers publish events, and Lambda functions are the custom code that process those events.

The middle column shows all the functions in your environment. Functions are colored maroon, red, orange, yellow, or green to let you quickly assess their security posture. By default, functions are colored by their most severe vulnerabilities, but you can view functions by highest severity compliance issue or runtime events. For vulnerability results, you must configure Prisma Cloud to scan your functions. For runtime issues, you must embed Serverless Defender into your functions.

The right-most column shows the services with which each function interfaces. Drilling into the function data reveals the permissions each function has been granted to access those services.

Lines connect triggers to functions to services, letting security teams to visualize the entire connectivity flow and access rights. Clicking on individual functions highlights their interconnects in the radar, and opens a pop-up that lets you drill into the details.

3. Exploring the data

Prisma Cloud finds, scans, and displays the $LATEST version and all published versions of your functions. Clicking a node in Serverless Radar lets you inspect a function’s configuration and explore all the security-related data that Prisma Cloud has indexed about it.

For example, clicking on the or-test2:$LATEST function opens a popup with summary findings. This particular function has two high risk compliance issues. Clicking on the compliance link takes you to a list of compliance issues for the function.

serverless radar explore

Compliance issue 437 indicates overly permissive access to one or more services. Expanding the issue reveals the reason why this compliance issue was raised, with a list of non-compliant service access configurations. One of the misconfigured access policy is for S3.

serverless radar explore compliance

Returning to the first pop-up window, and clicking into the S3 service, you can see that all the actions for the function’s execution role are tightly scoped, except for the last one. It allows all actions on all resources, and could easily be an erroneous configuration overlooked when it was pushed into production.