AWS Resources and Permissions for Serverless Runtime Protection

When Serverless Protection is applied to the Lambda functions in your AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. account, some resources are created in the AWS account and CloudGuard is granted permissions to access the resources. This is in addition to the information accessed by, and permissions granted to CloudGuard when the account is onboarded.

Serverless protection is enabled for a specific user's AWS account by launching a CFT (CloudFormation Template) stack, which is downloaded from CloudGuard to the user's AWS account. This stack creates resources and permissions that CloudGuard uses.

In addition, if Serverless Runtime Protection is enabled for specific functions in an account, a Serverless Runtime Protection Lambda Layer is deployed for each function.

CloudFormation Template

Each data center has its CloudFormation Template in YAML syntax, which you can download from the designated data center locations:

Data Center

Region

CloudFormation Template Link

United States

us-east-1

https://magnatar-protego.s3.amazonaws.com/magnatar-unified-cross-account-template.yaml

Ireland

eu-west-1

https://723885542676-protego.s3.amazonaws.com/723885542676-unified-cross-account-template.yaml

India

ap-south-1

https://guru-protego.s3.amazonaws.com/guru-unified-cross-account-template.yaml

Australia

ap-southeast-2

https://neptune-protego.s3.amazonaws.com/neptune-unified-cross-account-template.yaml

Canada

ca-central-1

https://polaris-protego.s3.ca-central-1.amazonaws.com/polaris-unified-cross-account-template.yaml

Deployed Resources

This section describes the resources that CloudGuard deploys when you enable serverless protection for an AWS account and when you apply Serverless Runtime Protection for specific functions.

CFT Stack Resources

CloudGuard applies protection to serverless functions with a CFT stack. CloudGuard deploys this stack which runs in your AWS account.

This stack creates resources on your account, and CloudGuard uses the resources when it scans functions for issues and monitors function runtime activity.

Functions

  • code scanning functions - These are deployed for each supported runtime environment

IAM roles and policies

  • cross-account role - Allows CloudGuard to access a user's AWS account and read information about functions. The specific permissions are listed in the table below.

    IAM Permission 

    Use 

    cloudwatch: GetMetricData

    Collect statistical information such as number of invocations, their durations, and errors

    cloudwatch: GetMetricStatistics

    Collect statistical information such as number of invocations, their durations, and errors

    lambda:ListVersionsByFunction 

    Explore functions in the account and get data about functions

    lambda: ListAliases 

    Explore functions in the account and get data about functions

    lambda: ListFunctions 

    Explore functions in the account and get data about functions

    lambda: ListTags 

    Get the functions tags

    lambda:GetLayerVersion 

    Function code analysis: scan any layer used by the function

    lambda:ListEventSourceMappings 

    Continuous Scanning and Analysis

    lambda:GetFunction 

    Get information about the function

    lambda:GetFunctionConfiguration 

    Get the functions configuration for serverless function, to update the function code

    lambda:GetPolicy 

    Get the function policy

    lambda: GetFunctionUrlConfig

    Continuous Scanning and Analysis

    iam: ListRolePolicies 

    Describe the set of permissions configured to the function, used in order to provide security insights

    iam: ListAttachedRolePolicies

    Continuous Scanning and Analysis

    iam: GetRolePolicy 

    Continuous Scanning and Analysis

    iam: GetPolicyVersion 

    Continuous Scanning and Analysis

    iam: GetPolicy 

    Get information about the policies

    iam: GetRole 

    Continuous Scanning and Analysis

    iam:SimulatePrincipalPolicy 

    Check the account required permissions

    events:ListRuleNamesByTarget 

    -

    sns:ListSubscriptionsByTopic 

    -

    ec2:DescribeRegions 

    Get all enabled customer regions

    s3:GetBucketNotification 

    Serverless Function Runtime

    s3:GetBucketLocation

    Serverless Function Runtime

    s3:GetBucketAcl

    Serverless Function Runtime

    s3:GetBucketPolicy

    Serverless Function Runtime

  • execution role - For code scanning functions

  • execution role - For the Serverless Runtime Protection Log Sender function, used for Serverless Runtime Protection.

  • LogSenderRole - CloudGuard resource

    IAM Permission 

    Use 

    sqs:GetQueueUrl

    Serverless Function Runtime

    sqs:SendMessage

    Serverless Function Runtime

  • FSPInjectorRole - CloudGuard resource

    IAM Permission 

    Use 

    lambda:ListLayerVersions

    Serverless Function Runtime Instrumentation

    lambda:ListLayers

    Serverless Function Runtime Instrumentation

    lambda:UpdateFunctionCode

    Serverless Function Runtime Instrumentation

    lambda:UpdateFunctionConfiguration

    Serverless Function Runtime Instrumentation

    logs:GetQueryResults

    Serverless Function Runtime Instrumentation

    logs:StartQuery

    Serverless Function Runtime Instrumentation

  • CodeAnalysisRole - CloudGuard resource

    IAM Permission 

    Use 

    lambda:ListLayerVersions

    Continuous Scanning and Analysis, Serverless Function Runtime Server

    lambda:ListLayers

    Continuous Scanning and Analysis

Log Groups

  • log groups - For each code scanning lambda function - used to forward results to CloudGuard backend.

S3 Bucket

  • S3 bucket - Used to store Serverless Runtime Protection policy for function, and connect it with Serverless Runtime Protection layer, for runtime protection monitoring.

Lambda Layer

CloudGuard deploys a lambda layer on Serverless Runtime Protection, for each function that has this protection enabled.

Scanning Resources

CloudGuard uses these resources in the user's AWS account when it scans serverless functions.

Resource

Description

Functions

A code analysis function is deployed for each supported runtime (Python, Java, C#, Node.js)

Log Groups

A log group is created for each code scanning function

IAMClosed Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. Roles

CodeAnalysis Execution role - Used by functions; these roles have Allow permissions for these actions:

logs:CreateLogStream, logs:PutLogEvents, lambda:GetFunction, lambda:ListLayers, lambda:GetLayerVersion, lambda:ListLayerVersions

Serverless Runtime Protection Resources

CloudGuard uses these resources in your AWS account, to monitor the runtime of activities of serverless functions (if runtime protection is enabled for the function).

Resource

Description

Lambda Layer

For each function in an AWS makes sure which Serverless Runtime Protection is enabled, CloudGuard deploys a Layer. This layer monitors function activities, and enforces the runtime policy.

Functions

Serverless Runtime Protection Log Sender - This function is deployed on-demand from CloudGuard in a specific region of the user's AWS account. It is not deployed by the CFT stack.

IAM Roles

An IAM role is used by the Serverless Runtime Protection Log Sender function, to send log group to the CloudGuard backend; these roles have Allow permissions for these actions:

lambda:CreateFunction, lambda:DeleteFunction, lambda:AddPermission, logs:CreateLogGroup, logs:PutRetentionPolicy, logs:DeleteLogGroup, logs:CreateLogStream, logs:PutLogEvents

S3 Buckets

An S3 bucket is created by the CFT stack, for each account. A folder is created in the bucket for each function that has Serverless Runtime Protection enabled.

Log Groups

A log group is created for the Log Sender function, which sends runtime information to the CloudGuard backend.