CloudGuard Serverless Security for AWS Lambda

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
1 hour 13 minutes
Difficulty
Beginner
CEU/CPE
1
Video Transcription
00:00
>> How exactly does CloudGuard Serverless Security
00:00
protect your AWS Lambda functions?
00:00
I'm glad you asked.
00:00
Protection happens on several levels
00:00
which are combined to make up the allow list policy.
00:00
This includes static code analysis, runtime,
00:00
behavioral profiling,
00:00
and user-defined rules and exclusions.
00:00
Let's break it down before we
00:00
roll up our sleeves and start applying.
00:00
Upon the onboarding of
00:00
CloudGuard Serverless Security static code analysis
00:00
analyzes the serverless functions code and
00:00
function configuration of the AWS account.
00:00
It detects configuration risks and
00:00
automatically generates
00:00
least-privilege function permissions.
00:00
It outlines recommended steps for a mediation,
00:00
including recommended least permissive IAM privileges
00:00
in JSON format,
00:00
the security admin can just copy and paste this
00:00
directly into the relevant IAM role policy.
00:00
Whenever a change is detected in
00:00
a function's code or in its function configurations,
00:00
static code analysis kicks in to analyze,
00:00
detect, and offer remediating actions where necessary.
00:00
Functions self-protection is a lightweight Lambda layer
00:00
that sits on top of the target
00:00
Lambda functions to profile their usage and
00:00
ultimately block malicious attempts automatically.
00:00
Once FSB is deployed,
00:00
the solution enters its learning period where it
00:00
examines invocations of the protected functions.
00:00
It analyzes the function's behavior to define
00:00
a profile of what would be defined as a normal behavior.
00:00
Together with the static code analysis an allow list is
00:00
generated automatically and is
00:00
stored in a dedicated S3 bucket.
00:00
Enforcing the allow list can either generate
00:00
alerts in case of a deviation from the allow list,
00:00
or conversely, proactively,
00:00
and automatically block
00:00
any function invocations in runtime that
00:00
deviate from the allow list
00:00
while reporting it to CloudGuards backend.
00:00
When an invocation of the target function occurs
00:00
it first goes through the FSP layer analyzed
00:00
against the allow list and only if it is
00:00
approved will it pass on wards down the execution path.
00:00
Otherwise, it is stopped at the FSB function.
00:00
Finally, to complete the picture
00:00
of how an allow list policy
00:00
defines what is and what isn't
00:00
legitimate use of the protected serverless functions.
00:00
Users can define specific rules and exclusions to
00:00
rules in order to ensure
00:00
that certain behaviors aren't blocked.
00:00
For instance, if the function
00:00
needs to access a text file which was not
00:00
mapped during static code analysis
00:00
or during runtime behavioral profiling,
00:00
an exclusion can be added to the policy.
Up Next