Data Handling

Data Collection

CloudGuard collects data about AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. serverless functions at two points in the function's use:

• When the function is scanned, before deployment - CloudGuard collects data about the function when it is built before it is deployed to the cloud account.

• At runtime - The Serverless Runtime Protection collects information about actions the function does in runtime.

Function Scan Data

CloudGuard scans serverless functions in your AWS accounts (that are onboarded to CloudGuard and which have Serverless protection enabled). This occurs when you apply to them serverless protection, with the CloudGuard web interface or API, or when somebody changes the function code.

The scan uses the AWS GetFunctionConfiguration API method to get information about the serverless function. This method returns information about the function, but not the function source code, which is not collected by CloudGuard.

Collected Information

The function scan gets this information about the function:

• Inventory of functions

• Environment variables used by the functions

• Runtime environments used by the functions

• IAM Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. roles used by the functions

• resource-based policies applied to the functions

Code Scan

CloudGuard scans the code on serverless functions in your AWS accounts that are onboarded to CloudGuard, and have Serverless protection enabled. This occurs when the function is deployed or when you apply to it serverless protection, with the CloudGuard web interface or API, or when somebody changes the function code.

CloudGuard does the code scan in the user's AWS account with functions deployed by CloudGuard in the user account as part of the procedure of enabling Serverless protection. The function source code is not exposed outside of the user's AWS account. The functions that do the scan send the results of the scan to the CloudGuard backend. This information is used to prepare a risk assessment for the function (for example, to show where there are too many IAM permissions given to the function).

Collected Information

The code scan checks the function source code for these events:

• API calls used by the function

• Dependency list of libraries and other modules

• Hard-coded credentials, such as passwords and keys

CloudGuard uses this information to prepare the risk assessment for the function. The scan does not send to CloudGuard actual user data, such as API payloads, values of hard-coded passwords, or keys.

Serverless Runtime Protection Data

At runtime, the Serverless Runtime Protection parses the function log group and extracts information about the actions that the function does as follows:

• Inputs

• File access

• Host connections

• API actions

• Processes that the function launches

It sends the extracted information to the CloudGuard engine by HTTPS. In addition, the module shows if it blocks the action or only detects it. You determine the preference in the CloudGuard web interface or API when it is necessary to apply Serverless Runtime Protection to the function.

Data in Motion

Information sent to the CloudGuard engine from the function (which the Serverless Runtime Protection does) is written to the function log group and, from there, fetched (by a function deployed in the user account) and sent to CloudGuard by HTTPS.

Data at Rest

Information that CloudGuard gets about serverless functions from function and code scans or runtime monitoring is stored in a database in the CloudGuard engine in the CloudGuard AWS account.

Information in this database is encrypted at rest.

Data Privacy

CloudGuard protects information collected about and from serverless functions based on Check Point Privacy Policy.