Serverless Functions

To see your serverless functions, you must onboard the environment that contains these functions to CloudGuard. See Onboarding AWS Environments to onboard your environment.

When you enable Serverless Protection on your cloud environments, you can see all the functions that exist in these environments and their protection status on Workload Protection >Serverless > Serverless Functions.

Use the Filter and Search toolbar to select parameters to filter out the serverless functions with Runtime Protection enabled (Protected) or disabled, Auto Protect (Detect) enabled, or Protection mode set to Detect or Prevent.

The Serverless Functions page allows you to see the protection status of all functions:

  • Runtime - Runtime language or framework.

  • Runtime Protection - Shows Protected when Serverless Protection is enabled and the Cross Account Stack is updated.

  • Auto Protect - Shows Auto Protect when enabled.

  • Protection Mode - Shows Detect or Prevent (Block on detect) protection mode.

  • Learning - Shows the progress of the profile learning to build the Allowlist.

  • FSP Version - Shows the current FSP version.

Click the function name to see more details about its status, permissions, and posture findings.

Feature Status

The General tab of the onboarded serverless function shows its feature status. To learn more about each feature, read its tooltip information.

Feature Card Name

Feature

Status

Configuration Scanning

Posture Management is enabled after account onboarding to CloudGuard. Compliance engine scans the serverless function configuration

  • Active - Always enabled

Vulnerability Scanning

Serverless Protection (Proact) scans serverless functions for known vulnerabilities and embedded secrets

  • Disabled

  • Active - You enabled Serverless Protection

IAM Hardening

Serverless Protection (Proact) does Deep Code Flow Analysis for application hardening and least privilege access

  • Disabled

  • Active - You enabled Serverless Protection

Workload Firewall

FSP (Runtime Protection) validates workload runtime input

  • Disabled

  • Active - You enabled Runtime Protection

Behavioral Prevention

Behavioral Intrusion Prevention (Runtime Protection) learns specific workload behavior profile to detect and prevent anomalous behavior

  • Disabled

  • Learning is progress - You enabled Runtime Protection, which now builds the behavioral profile

  • Active - You enabled Runtime Protection, and the behavior profile (Allowlist) is built

Actions

To enable Runtime Protection:

  1. Navigate to Workload ProtectionServerless > Serverless Functions.

  2. Select the function from the list (you can filter the list to narrow your search) and select the General tab.

  3. Set Auto Protect to ON. CloudGuard starts to profile the function to build an Allowlist of normative activity. The results of profiling show below in the Runtime Protection tab.

  4. In addition, you can see the version of the FSP (Function Self Protection) that runs on your function. If the arrow appears in the left upper corner, you can upgrade the installed FSP to a higher version. Click the arrow and follow instructions. Click the menu button to change the version. You can select one of the available versions.

You can enable Runtime Protection for several or all selected serverless functions.

  1. Navigate to Workload ProtectionServerless > Serverless Functions.

  2. Select one or more filtering criteria.

  3. Click the Select All Visible check box in the table header to select all the shown functions.

  4. On the toolbar, click Auto Protect. The Modify Auto Protect Mode window opens.

    1. Select to Enable the Auto Protect mode.

    2. Select the latest or other version of the FSP.

    3. Click Apply.

    CloudGuard applies protection to all selected serverless functions.

You can enable Runtime Protection on an Account level. This applies protection to all existing serverless functions, as well as the future functions on this account.

  1. Navigate to Workload ProtectionServerless | Serverless Functions.

  2. Select one or more filtering criteria.

  3. Click the Select All Visible check box in the table header to select all the shown functions.

  4. On the toolbar, click Auto Protect. The Modify Auto Protect Mode window opens.

    1. Select to Enable the Auto Protect mode.

    2. Select the latest or another version of the FSP.

    3. Click Apply.

    CloudGuard applies protection to all selected serverless functions.

When runtime protection is enabled, CloudGuard creates a runtime alert when the behavior of a function deviates from the allowlisted behavior detected during the profiling, or when inputs are received from known malicious sites.

In addition, you can configure CloudGuard to block the action, such as an attempt to access a file that is not on the allowlist, or the input.

To block actions for a function:

  1. Navigate to Workload Protection > Serverless Functions.

  2. Select the function from the list (you can filter the list to narrow your search) and then select the General tab.

  3. Set Block on detect to ON.

  4. In the Defense Mode window, click Enable Blocking.

To block actions for all functions:

  1. Navigate to Workload ProtectionServerless | Serverless Functions.

  2. Select one or more filtering criteria.

  3. On the table header, click the Select All Visible checkbox.

  4. On the toolbar, click Protection Mode. The Modify Detect Mode window opens.

    1. Select Prevent and detect to block the actions.

    2. Click Apply.

You can manually not include specific criteria not to block the activity of a function (or to cause an event if the function is not configured to block on detection). This allows you to adjust the criteria that Serverless Runtime Protection uses to monitor the runtime activities of the function. These exclusions stay until you change or remove them and apply each time the function is invoked.

To create an exclusion:

  1. Navigate to Workload ProtectionServerless | Serverless Functions.

  2. Select the function from the list (you can filter the list to narrow your search).

  3. Select the Rules & Exclusions tab.

  4. Expand the Exclusions section and click Create New Exclusion.

  5. Enter a Name for the exclusion (as it shows in the list of exclusions in this tab).

  6. Select a Target. The Target is the type of action that is not included in the monitoring, such as a procedure, a file, or a specific host. Select one target for the exclusion from the list:

    To select more than one target for an exclusion, create a different exclusion for each target.

  7. Enter the Pattern for the exclusion. The pattern is a text string or list of strings, each on a different line. Actions that match the pattern are added to the function allowlist and excluded from the generation of an event notification or from the blocked actions. The pattern corresponds to the target type. For example, for an IP target, the pattern is one or more IP addresses.

    Note - The File pattern match differs from the Host or Process pattern match.

    To match a *.TXT file in /tmp and all its subdirectories, use this pattern: /tmp/**/*.txt

    If you want to match the *.TXT file in only /tmp/logs, without subdirectories, use this pattern: /tmp/logs/*.txt

    For more examples, see: https://help.sumologic.com/03Send-Data/Sources/04Reference-Information-for-Sources/Using-Wildcards-in-Paths

  8. Select the Scope for the exclusion. This indicates if the exclusion applies to a specific function, a group of functions, or all functions in the environment (account).

    Note - The note after the scope Apply only on protected functions (functions with FSP) means that you can apply the scope when the Enabling Runtime Protection on a Serverless Function, that is, the Auto-Protect button is ON.

  9. Click Create.

You can manually add specific criteria to block the activity of a function (or cause an alert if the function is not configured to block on detection). This allows you to adjust the criteria that Serverless Runtime Protection uses when monitoring the runtime activities of the function. These rules stay in place until they are changed or removed, and are applied each time the function is invoked.

To create a rule:

  1. Navigate to Workload Protection > Serverless Functions.

  2. Select the function from the list (you can filter the list to narrow your search).

  3. Select the Rules & Exclusions tab.

  4. Expand the Rules section and then click Create New Rule.

  5. Enter a Name for the rule (as it shows in the list of rules in this tab).

  6. Select a Target. The Target is the type of action, such as a procedure, a file, or a specific host. Select one target for the rule. To select more than one target for a rule, create a different rule for each target.

  7. Enter the Pattern for the rule. The pattern is a text string, or list of strings, each on a different line. Actions that match the pattern are removed from the function allowlist and generate an event notification, or they are blocked. The pattern corresponds to the target type. For example, for an IP target, the pattern is one or more IP addresses.

    Note - The File pattern match differs from the Host or Process pattern match.

    If it is necessary to match a *.TXT file in /tmp and all its subdirectories, use this pattern: /tmp/**/*.txt

    To match the *.TXT file in only /tmp/logs, without subdirectories, use this pattern: /tmp/logs/*.txt

    For more examples, see: https://help.sumologic.com/03Send-Data/Sources/04Reference-Information-for-Sources/Using-Wildcards-in-Paths

  8. Select the Scope for the rule. This indicates if the rule applies to a specific function, a group of functions, or all functions in the account.

    Note - The note after the scope Apply only on protected functions (functions with FSP) means that you can apply the scope when the Enabling Runtime Protection on a Serverless Function, that is, the Auto-Protect button is ON.

  9. Click Create.

More Links