AWS Serverless Function Runtime Protection

You can apply CloudGuard protection to serverless functions at runtime. This protects functions from malicious inputs or attacks, while it monitors the function behavior for anomalous behavior and acts as a workload firewall for inputs from malicious sources. It does not change the source code of the function and has minimal impact on the function's runtime performance.

Before you apply Runtime Protection to the serverless functions, you must onboard the AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. environment to Serverless Protection, see Enabling Serverless Protection below.

With Serverless Function Runtime Protection, you can:

  • Apply a workload firewall on inputs to the function, which analyzes the input payloads for malicious attack patterns.

  • Detect and, optionally, prevent anomalous runtime behavior.

  • Use a function-specific profile of actual function behavior, to build an allowlist of normative activity (baseline).

  • Detect or prevent attacks based on anomalous behavior.

  • Get visibility into what the application code is doing, including monitoring process launching, network activity, and API calls.

  • Reduce the effect on function runtime performance.

How it Works

You have two options to apply Runtime Protection in your account:

  • For each serverless function individually or at the account level:

    • To detect issues with Auto Protect

    • To detect and prevent issues with Auto Protect and Block on detect

  • To AWS functions at the CI/CD stage on their deployment in your environment, with the CI/CD Plugin.

When you apply protection, CloudGuard adds a small module to your function that is loaded in runtime, along with the function. This module monitors your function, while it adds some runtime overhead. It is also fully transparent - all reporting is done with the function logs, so you can review the metadata it collects.

Runtime protection dynamically inspects different points in the flow of functions, with mechanisms such as pattern matching, flow analysis, "denylisting" and "allowlisting", and applies policies such as reporting and blocking in response to suspicious activity.

Best Practice - Check Point recommends to enable Serverless Runtime Protection gradually, in several stages.

  1. Enable Runtime Protection on your QA (staging, sandbox) environment.

    • Run your automation tools and make sure everything works properly.

    • Let Runtime Protection work for a while, based on your needs, to create an allowlist.

    • Make sure the allowlist is accurate, there is no false positive.

  2. Enable Runtime Protection on your production environment with the Detect mode. Make sure everything works properly.

  3. Enable Runtime Protection on your production environment with the Detect and Prevent mode.

Allowlist

When you enable runtime protection for a serverless function, CloudGuard uses machine learningClosed The process of using mathematical models to predict outcomes versus relying on a set of instructions. This is made possible by identifying patterns within data, building an analytical model, and using it to make predictions and decisions. Machine learning bears similarity to how humans learn, in that increased experience can increase accuracy. techniques to profile the function in runtime and to create an "Allowlist" of its normative (permitted) actions. This includes:

  • Processes

  • Files and local storage accessed

  • API functions (some calculated by a code analysis, some by runtime monitoring, which may include cases of code injection)

  • External hosts accessed

  • Network addresses communicating with the function

The Runtime Protection tab shows the Allowlist for a function. You can manually add activities to the Allowlist when you configure exclusions (Creating Serverless Functions Exclusions) or remove actions when you configure rules (Creating Serverless Functions Rules).

Rules and Exclusions

You can manually add or remove actions to the Allowlist. In this procedure, you can adjust the Allowlist that is automatically created when the function is profiled.

Rules remove actions from the allowlist, and exclusions add actions.

The Rules & Exclusions tab shows the rules and exclusions configured for a function.

Note - These rules and exclusions apply to the serverless function only. The rules and exclusions you configure on the Cloud Security Posture Management (CSPM) level apply to all functions and the environment.

Events

CloudGuard creates an event notification when it detects anomalous runtime behavior or malicious inputs. You can see these notifications for each function individually or on the Events page, together with notifications from other functions and other CloudGuard sources.

The table below lists the runtime alert messages created by Serverless Runtime Protection.

Actions