Serverless Risk Assessment
CloudGuard Proact Serverless protection evaluates the risk in serverless functions in your AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. environments. CloudGuard scans and analyzes your functions and their dependent libraries for vulnerabilities, IAM Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. permissions that are not necessary, and sensitive information such as passwords and keys. It then calculates a Posture score, based on the number, nature, and severity of vulnerabilities found, and generates alerts for each vulnerability, that show the specific issues and, in many cases, the actions necessary to remedy them.
To activate Proact Serverless risk assessment, your AWS environment must be onboarded to CloudGuard (see Unified Onboarding of AWS Environments). Enable Serverless protection (see Enabling Serverless Protection) if you skipped this step during the onboarding procedure.
Benefits
-
Identify overly permissive IAM roles used by serverless functions
-
Identify 3rd-party libraries for vulnerabilities
-
Identify hard-coded credentials, secrets, and other sensitive information in serverless code
-
Identify functions that are not used
Continuous Scanning and Analysis
CloudGuard Proact scans the functions in your cloud accounts when they are onboarded to CloudGuard. In addition, CloudGuard rescans functions when they are changed to provide a continuous and up-to-date risk assessment.
Posture Explorer
The Posture Explorer is a graphical view of the security posture of a serverless function, based on an analysis of the function.
Legend:
Item |
Description |
---|---|
1 |
The serverless function |
2 |
The cloud service types that can trigger the function |
3 |
The service types that the function has permission to access |
Scan in CI/CD
In addition, you can scan your functions in the CI/CD pipeline, before they are deployed to your cloud account, with the Serverless CI/CD Plugin. This runs as part of your CI/CD toolchain, scans for the same risks, and presents the results in the CI/CD tool. In addition, you can configure it to block the deployment of builds containing specific risks.
Finding Types
The table below lists the scan-finding types.
Finding type |
Description |
---|---|
Permissive Role |
This Lambda function uses a role that has redundant permissions, which are not required by the function. Permissions that are not necessary increase the function attack surface, which can be leveraged by attackers to find sensitive data and possibly cause a takeover of all resources. |
Vulnerable Dependency |
This Lambda function uses a library that has known vulnerabilities. |
Credentials Usage |
This Lambda function has credentials hard-coded as part of the Lambda code or of the environment variables. Setting credentials hard-coded can cause a leak of credentials. Attackers can use this to find sensitive data and take over all the resources. |
Unused Resource |
This resource has not been in use for a while, which means that a Lambda function was inactive for more than 90 days. Serverless scanners use AWS CloudWatch metrics to verify the Lambda usage. Keeping unused resources in your account can increase the attack surface of your account. |
Versions |
This Lambda function has more versions than the maximum additional version limit. Some of them may not be in use. |
Excessive Timeout |
This function has a large timeout configured that is not necessary. Attackers can leverage the long execution of the function to cause more damage in case of a vulnerability in the function. |
Obsolete Runtime |
This Lambda function uses an obsolete runtime version. AWS support for this Lambda runtime has ended. The Lambda function no longer applies security patches or other updates to the runtime. The Lambda function does not block invocations of functions that use deprecated runtime versions. Function invocations continue indefinitely after the runtime version reaches the end of support. But Check Point strongly recommends that you migrate functions to a supported runtime version. |
Actions
With serverless protection enabled:
-
CloudGuard continuously scans your serverless functions for vulnerabilities and risks - Serverless Risk Assessment
-
You can apply runtime protection to your functions when they are invoked - AWS Serverless Function Runtime Protection
Your AWS account must already be onboarded to CloudGuard. See Unified Onboarding of AWS Environments for details on how to do this.
To enable CloudGuard protection on your serverless functions, you must grant permission to CloudGuard to access these assets in your accounts. In addition, the permissions granted to CloudGuard in the account onboarding procedure. In the procedure described below, you use an AWS CloudFormation (CFT) stack, which you run in your account. To learn more about the CFT resources deployed on your account, see AWS Resources and Permissions for Serverless Runtime Protection.
To enable Serverless Protection:
-
Navigate to Assets > Environments.
-
Click Enable Serverless protection for an AWS account from the list.
-
Follow the instructions on the wizard page that opens. Click Create Cross-Account Role.
The prompt suggests you sign in to your AWS account and then it redirects you to the CloudFormation page. You can see a CFT stack that grants CloudGuard a cross-account role in your AWS account.
-
In the AWS console, select the option I acknowledge that AWS CloudFormation might create IAM resources with custom names.
-
Click Create stack.
CloudFormation starts to create the stack.
-
In the AWS console, click the Template tab to view details for the permissions that CloudGuard obtains when the stack is created. After you create the stack, more permissions are granted to CloudGuard, and CloudGuard completes the procedure of enabling protection.
When complete, the serverless functions appear in the CloudGuard portal in the protected assets list of the environment, on the Protected Assets page, as well as on the Workload Protection > Serverless Functions page.
You can see the Posture score for your functions and view findings generated by risks discovered in your functions.
To see scan results:
-
Navigate to Workload Protection > Serverless Functions. This page shows all the functions in your environments with enabled serverless protection. You can filter the list to show specific functions.
-
Select the function from the list. Select the General tab. You can see the details for this function. A Posture score shows the results of the scan.
-
Select the Posture Findings tab to see the findings generated from the scan with the Serverless source. The findings table is the same as the All Events table filtered for the specific Lambda.