AWS Resources and Permissions for Serverless Runtime Protection

When Serverless Protection is applied to the Lambda functions in your AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. account, some resources are created in the AWS account and CloudGuard is granted permissions to access the resources. This is in addition to the information accessed by, and permissions granted to CloudGuard when the account is onboarded.

Serverless protection is enabled for a specific user's AWS account by launching a CFT (CloudFormation Template) stack, which is downloaded from CloudGuard to the user's AWS account. This stack creates resources and permissions that CloudGuard uses.

In addition, if Serverless Runtime Protection is enabled for specific functions in an account, a Serverless Runtime Protection Lambda Layer is deployed for each function.

CloudFormation Template

Each data center has its CloudFormation Template in YAML syntax, which you can download from the designated data center locations:

Data Center	Region	CloudFormation Template Link
United States	us-east-1	https://magnatar-protego.s3.amazonaws.com/magnatar-unified-cross-account-template.yaml
Ireland	eu-west-1	https://723885542676-protego.s3.amazonaws.com/723885542676-unified-cross-account-template.yaml
India	ap-south-1	https://guru-protego.s3.amazonaws.com/guru-unified-cross-account-template.yaml
Australia	ap-southeast-2	https://neptune-protego.s3.amazonaws.com/neptune-unified-cross-account-template.yaml
Canada	ca-central-1	https://polaris-protego.s3.ca-central-1.amazonaws.com/polaris-unified-cross-account-template.yaml

Deployed Resources

This section describes the resources that CloudGuard deploys when you enable serverless protection for an AWS account and when you apply Serverless Runtime Protection for specific functions.

CFT Stack Resources

CloudGuard applies protection to serverless functions with a CFT stack. CloudGuard deploys this stack which runs in your AWS account.

This stack creates resources on your account, and CloudGuard uses the resources when it scans functions for issues and monitors function runtime activity.

Functions

code scanning functions - These are deployed for each supported runtime environment

IAM roles and policies

cross-account role - Allows CloudGuard to access a user's AWS account and read information about functions. The specific permissions are listed in the table below.

IAM Permission	Use
cloudwatch: GetMetricData	Collect statistical information such as number of invocations, their durations, and errors
cloudwatch: GetMetricStatistics	Collect statistical information such as number of invocations, their durations, and errors
lambda:ListVersionsByFunction	Explore functions in the account and get data about functions
lambda: ListAliases	Explore functions in the account and get data about functions
lambda: ListFunctions	Explore functions in the account and get data about functions
lambda: ListTags	Get the functions tags
lambda:GetLayerVersion	Function code analysis: scan any layer used by the function
lambda:ListEventSourceMappings	Continuous Scanning and Analysis
lambda:GetFunction	Get information about the function
lambda:GetFunctionConfiguration	Get the functions configuration for serverless function, to update the function code
lambda:GetPolicy	Get the function policy
lambda: GetFunctionUrlConfig	Continuous Scanning and Analysis
iam: ListRolePolicies	Describe the set of permissions configured to the function, used in order to provide security insights
iam: ListAttachedRolePolicies	Continuous Scanning and Analysis
iam: GetRolePolicy	Continuous Scanning and Analysis
iam: GetPolicyVersion	Continuous Scanning and Analysis
iam: GetPolicy	Get information about the policies
iam: GetRole	Continuous Scanning and Analysis
iam:SimulatePrincipalPolicy	Check the account required permissions
events:ListRuleNamesByTarget	-
sns:ListSubscriptionsByTopic	-
ec2:DescribeRegions	Get all enabled customer regions
s3:GetBucketNotification	Serverless Function Runtime
s3:GetBucketLocation	Serverless Function Runtime
s3:GetBucketAcl	Serverless Function Runtime
s3:GetBucketPolicy	Serverless Function Runtime

execution role - For code scanning functions
execution role - For the Serverless Runtime Protection Log Sender function, used for Serverless Runtime Protection.

LogSenderRole - CloudGuard resource

IAM Permission	Use
sqs:GetQueueUrl	Serverless Function Runtime
sqs:SendMessage	Serverless Function Runtime

FSPInjectorRole - CloudGuard resource

IAM Permission	Use
lambda:ListLayerVersions	Serverless Function Runtime Instrumentation
lambda:ListLayers	Serverless Function Runtime Instrumentation
lambda:UpdateFunctionCode	Serverless Function Runtime Instrumentation
lambda:UpdateFunctionConfiguration	Serverless Function Runtime Instrumentation
logs:GetQueryResults	Serverless Function Runtime Instrumentation
logs:StartQuery	Serverless Function Runtime Instrumentation

CodeAnalysisRole - CloudGuard resource

IAM Permission	Use
lambda:ListLayerVersions	Continuous Scanning and Analysis, Serverless Function Runtime Server
lambda:ListLayers	Continuous Scanning and Analysis

Log Groups

log groups - For each code scanning lambda function - used to forward results to CloudGuard backend.

S3 Bucket

S3 bucket - Used to store Serverless Runtime Protection policy for function, and connect it with Serverless Runtime Protection layer, for runtime protection monitoring.

Lambda Layer

CloudGuard deploys a lambda layer on Serverless Runtime Protection, for each function that has this protection enabled.

Scanning Resources

CloudGuard uses these resources in the user's AWS account when it scans serverless functions.

Resource	Description
Functions	A code analysis function is deployed for each supported runtime (Python, Java, C#, Node.js)
Log Groups	A log group is created for each code scanning function
IAM Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. Roles	CodeAnalysis Execution role - Used by functions; these roles have Allow permissions for these actions: logs:CreateLogStream, logs:PutLogEvents, lambda:GetFunction, lambda:ListLayers, lambda:GetLayerVersion, lambda:ListLayerVersions

Resource

Description

Functions

A code analysis function is deployed for each supported runtime (Python, Java, C#, Node.js)

Log Groups

A log group is created for each code scanning function

IAM Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. Roles

CodeAnalysis Execution role - Used by functions; these roles have Allow permissions for these actions:

logs:CreateLogStream, logs:PutLogEvents, lambda:GetFunction, lambda:ListLayers, lambda:GetLayerVersion, lambda:ListLayerVersions

Serverless Runtime Protection Resources

CloudGuard uses these resources in your AWS account, to monitor the runtime of activities of serverless functions (if runtime protection is enabled for the function).

Resource	Description
Lambda Layer	For each function in an AWS makes sure which Serverless Runtime Protection is enabled, CloudGuard deploys a Layer. This layer monitors function activities, and enforces the runtime policy.
Functions	Serverless Runtime Protection Log Sender - This function is deployed on-demand from CloudGuard in a specific region of the user's AWS account. It is not deployed by the CFT stack.
IAM Roles	An IAM role is used by the Serverless Runtime Protection Log Sender function, to send log group to the CloudGuard backend; these roles have Allow permissions for these actions: lambda:CreateFunction, lambda:DeleteFunction, lambda:AddPermission, logs:CreateLogGroup, logs:PutRetentionPolicy, logs:DeleteLogGroup, logs:CreateLogStream, logs:PutLogEvents
S3 Buckets	An S3 bucket is created by the CFT stack, for each account. A folder is created in the bucket for each function that has Serverless Runtime Protection enabled.
Log Groups	A log group is created for the Log Sender function, which sends runtime information to the CloudGuard backend.