AWS Resources and Permissions for Serverless Runtime Protection
When Serverless Protection is applied to the Lambda functions in your AWS
Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. account, some resources are created in the AWS account and CloudGuard is granted permissions to access the resources. This is in addition to the information accessed by, and permissions granted to CloudGuard when the account is onboarded.
Serverless protection is enabled for a specific user's AWS account by launching a CFT (CloudFormation Template) stack, which is downloaded from CloudGuard to the user's AWS account. This stack creates resources and permissions that CloudGuard uses.
In addition, if Serverless Runtime Protection is enabled for specific functions in an account, a Serverless Runtime Protection Lambda Layer is deployed for each function.
CloudFormation Template
Each data center has its CloudFormation Template in YAML syntax, which you can download from the designated data center locations:
|
Data Center |
Region |
CloudFormation Template Link |
|---|---|---|
|
United States |
us-east-1 |
https://magnatar-protego.s3.amazonaws.com/magnatar-unified-cross-account-template.yaml |
|
Ireland |
eu-west-1 |
https://723885542676-protego.s3.amazonaws.com/723885542676-unified-cross-account-template.yaml |
|
India |
ap-south-1 |
https://guru-protego.s3.amazonaws.com/guru-unified-cross-account-template.yaml |
|
Singapore |
ap-southeast-1 |
https://uranus-protego.s3.amazonaws.com/uranus-unified-cross-account-template.yaml |
|
Australia |
ap-southeast-2 |
https://neptune-protego.s3.amazonaws.com/neptune-unified-cross-account-template.yaml |
|
Canada |
ca-central-1 |
https://polaris-protego.s3.ca-central-1.amazonaws.com/polaris-unified-cross-account-template.yaml |
Deployed Resources
This section describes the resources that CloudGuard deploys when you enable serverless protection for an AWS account and when you apply Serverless Runtime Protection for specific functions.
CFT Stack Resources
CloudGuard applies protection to serverless functions with a CFT stack. CloudGuard deploys this stack which runs in your AWS account.
This stack creates resources on your account, and CloudGuard uses the resources when it scans functions for issues and monitors function runtime activity.
Functions
-
code scanning functions - These are deployed for each supported runtime environment
IAM roles and policies
-
cross-account role - Allows CloudGuard to access a user's AWS account and read information about functions. The specific permissions are listed in the table below.
IAM Permission
Use
cloudwatch: GetMetricData
Collect statistical information such as number of invocations, their durations, and errors
cloudwatch: GetMetricStatistics
Collect statistical information such as number of invocations, their durations, and errors
lambda:ListVersionsByFunction
Explore functions in the account and get data about functions
lambda: ListAliases
Explore functions in the account and get data about functions
lambda: ListFunctions
Explore functions in the account and get data about functions
lambda: ListTags
Get the functions tags
lambda:GetLayerVersion
Function code analysis: scan any layer used by the function
lambda:ListEventSourceMappings
Continuous Scanning and Analysis
lambda:GetFunction
Get information about the function
lambda:GetFunctionConfiguration
Get the functions configuration for serverless function, to update the function code
lambda:GetPolicy
Get the function policy
lambda: GetFunctionUrlConfig
Continuous Scanning and Analysis
iam: ListRolePolicies
Describe the set of permissions configured to the function, used in order to provide security insights
iam: ListAttachedRolePolicies
Continuous Scanning and Analysis
iam: GetRolePolicy
Continuous Scanning and Analysis
iam: GetPolicyVersion
Continuous Scanning and Analysis
iam: GetPolicy
Get information about the policies
iam: GetRole
Continuous Scanning and Analysis
iam:SimulatePrincipalPolicy
Check the account required permissions
events:ListRuleNamesByTarget
-
sns:ListSubscriptionsByTopic
-
ec2:DescribeRegions
Get all enabled customer regions
s3:GetBucketNotification
Serverless Function Runtime
s3:GetBucketLocation
Serverless Function Runtime
s3:GetBucketAcl
Serverless Function Runtime
s3:GetBucketPolicy
Serverless Function Runtime
-
execution role - For code scanning functions
-
execution role - For the Serverless Runtime Protection Log Sender function, used for Serverless Runtime Protection.
-
LogSenderRole - CloudGuard resource
IAM Permission
Use
sqs:GetQueueUrl
Serverless Function Runtime
sqs:SendMessage
Serverless Function Runtime
-
FSPInjectorRole - CloudGuard resource
IAM Permission
Use
lambda:ListLayerVersions
Serverless Function Runtime Instrumentation
lambda:ListLayers
Serverless Function Runtime Instrumentation
lambda:UpdateFunctionCode
Serverless Function Runtime Instrumentation
lambda:UpdateFunctionConfiguration
Serverless Function Runtime Instrumentation
logs:GetQueryResults
Serverless Function Runtime Instrumentation
logs:StartQuery
Serverless Function Runtime Instrumentation
-
CodeAnalysisRole - CloudGuard resource
IAM Permission
Use
lambda:ListLayerVersions
Continuous Scanning and Analysis, Serverless Function Runtime Server
lambda:ListLayers
Continuous Scanning and Analysis
Log Groups
-
log groups - For each code scanning lambda function - used to forward results to CloudGuard backend.
S3 Bucket
-
S3 bucket - Used to store Serverless Runtime Protection policy for function, and connect it with Serverless Runtime Protection layer, for runtime protection monitoring.
Lambda Layer
CloudGuard deploys a lambda layer on Serverless Runtime Protection, for each function that has this protection enabled.
Scanning Resources
CloudGuard uses these resources in the user's AWS account when it scans serverless functions.
|
Resource |
Description |
|---|---|
|
Functions |
A code analysis function is deployed for each supported runtime (Python, Java, C#, Node.js) |
|
Log Groups |
A log group is created for each code scanning function |
|
CodeAnalysis Execution role - Used by functions; these roles have Allow permissions for these actions: logs:CreateLogStream, logs:PutLogEvents, lambda:GetFunction, lambda:ListLayers, lambda:GetLayerVersion, lambda:ListLayerVersions |
Serverless Runtime Protection Resources
CloudGuard uses these resources in your AWS account, to monitor the runtime of activities of serverless functions (if runtime protection is enabled for the function).
|
Resource |
Description |
|---|---|
|
Lambda Layer |
For each function in an AWS makes sure which Serverless Runtime Protection is enabled, CloudGuard deploys a Layer. This layer monitors function activities, and enforces the runtime policy. |
|
Functions |
Serverless Runtime Protection Log Sender - This function is deployed on-demand from CloudGuard in a specific region of the user's AWS account. It is not deployed by the CFT stack. |
|
IAM Roles |
An IAM role is used by the Serverless Runtime Protection Log Sender function, to send log group to the CloudGuard backend; these roles have Allow permissions for these actions: lambda:CreateFunction, lambda:DeleteFunction, lambda:AddPermission, logs:CreateLogGroup, logs:PutRetentionPolicy, logs:DeleteLogGroup, logs:CreateLogStream, logs:PutLogEvents |
|
S3 Buckets |
An S3 bucket is created by the CFT stack, for each account. A folder is created in the bucket for each function that has Serverless Runtime Protection enabled. |
|
Log Groups |
A log group is created for the Log Sender function, which sends runtime information to the CloudGuard backend. |