Serverless Risk Assessment

CloudGuard Proact Serverless protection evaluates the risk in serverless functions in your AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. environments. CloudGuard scans and analyzes your functions and their dependent libraries for vulnerabilities, IAM Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. permissions that are not necessary, and sensitive information such as passwords and keys. It then calculates a Posture score, based on the number, nature, and severity of vulnerabilities found, and generates alerts for each vulnerability, that show the specific issues and, in many cases, the actions necessary to remedy them.

To activate Proact Serverless risk assessment, your AWS environment must be onboarded to CloudGuard (see Unified Onboarding of AWS Environments). Enable Serverless protection (see Enabling Serverless Protection) if you skipped this step during the onboarding procedure.

Benefits

Identify overly permissive IAM roles used by serverless functions
Identify 3rd-party libraries for vulnerabilities
Identify hard-coded credentials, secrets, and other sensitive information in serverless code
Identify functions that are not used

Continuous Scanning and Analysis

CloudGuard Proact scans the functions in your cloud accounts when they are onboarded to CloudGuard. In addition, CloudGuard rescans functions when they are changed to provide a continuous and up-to-date risk assessment.

Posture Explorer

The Posture Explorer is a graphical view of the security posture of a serverless function, based on an analysis of the function.

Legend:

Item	Description
1	The serverless function
2	The cloud service types that can trigger the function
3	The service types that the function has permission to access

Scan in CI/CD

In addition, you can scan your functions in the CI/CD pipeline, before they are deployed to your cloud account, with the Serverless CI/CD Plugin. This runs as part of your CI/CD toolchain, scans for the same risks, and presents the results in the CI/CD tool. In addition, you can configure it to block the deployment of builds containing specific risks.

Finding Types

The table below lists the scan-finding types.

Types

Finding type	Description
Permissive Role	This lambda function uses a role that has redundant permissions, which are not required by the function. Permissions that are not necessary increase the function attack surface, which can be leveraged by attackers to find sensitive data and possibly cause a takeover of all resources.
Vulnerable Dependency	This lambda function uses a library that has known vulnerabilities.
Credentials Usage	This lambda function has credentials hard-coded as part of the lambda code or of the environment variables. Setting credentials hard-coded can cause a leak of credentials. Attackers can use this to find sensitive data and take over all the resources.
Unused Resource	This resource has not been in use for a while. Keeping unused resources in your account can increase the attack surface of your account.
Versions	This lambda function has more versions than the maximum additional version limit. Some of them may not be in use.
Excessive Timeout	This function has a large timeout configured that is not necessary. Attackers can leverage the long execution of the function to cause more damage in case of a vulnerability in the function.
Obsolete Runtime	This lambda function uses an obsolete runtime version. AWS support for this lambda runtime has ended. The lambda function no longer applies security patches or other updates to the runtime. The lambda function does not block invocations of functions that use deprecated runtime versions. Function invocations continue indefinitely after the runtime version reaches the end of support. But Check Point strongly recommends that you migrate functions to a supported runtime version.

Actions

Enabling Serverless Protection

With serverless protection enabled:

CloudGuard continuously scans your serverless functions for vulnerabilities and risks - Serverless Risk Assessment
You can apply runtime protection to your functions when they are invoked - AWS Serverless Function Runtime Protection

Your AWS account must already be onboarded to CloudGuard. See Unified Onboarding of AWS Environments for details on how to do this.

To enable CloudGuard protection on your serverless functions, you must grant permission to CloudGuard to access these assets in your accounts. In addition, the permissions granted to CloudGuard in the account onboarding procedure. In the procedure described below, you use an AWS CloudFormation (CFT) stack, which you run in your account. To learn more about the CFT resources deployed on your account, see AWS Resources and Permissions for Serverless Runtime Protection.

To enable Serverless Protection:

Navigate to Assets > Environments.
Click Enable Serverless protection for an AWS account from the list.
Follow the instructions on the wizard page that opens. Click Create Cross-Account Role.

The prompt suggests you sign in to your AWS account and then it redirects you to the CloudFormation page. You can see a CFT stack that grants CloudGuard a cross-account role in your AWS account.
In the AWS console, select the option I acknowledge that AWS CloudFormation might create IAM resources with custom names.
Click Create stack.

CloudFormation starts to create the stack.
In the AWS console, click the Template tab to view details for the permissions that CloudGuard obtains when the stack is created. After you create the stack, more permissions are granted to CloudGuard, and CloudGuard completes the procedure of enabling protection.

When complete, the serverless functions appear in the CloudGuard portal in the protected assets list of the environment, on the Protected Assets page, as well as on the Workload Protection > Serverless Functions page.