Today we are releasing a free serverless security protection library for AWS Lambda functions, which enables developers to harden the behavior of serverless runtimes and immunize functions against unwanted and potentially malicious behavior.
We named the library “FunctionShield” and it can be easily installed as a code dependency. FunctionShield provides developers with the ability to define simple yet extremely powerful protections in code.
Why Should You Care?
There have been numerous cases in recent years where malicious actors created bogus packages that look authentic, or infected existing open source packages with code that leaks sensitive data such as credentials or environment variables. According to a recent survey of 16,000 developers by NPM inc, 77% of the respondents were concerned with the security of open source software packages. Some organizations have responded to this threat by isolating their sensitive AWS Lambda functions inside a Virtual Private Cloud (VPC) and using a NAT gateway to monitor/restrict outbound traffic. However, this VPC-based solution presents its own technical challenges.
When we discuss serverless security with developers and architects, we constantly hear about about the need to regain some security control over the runtime environment. We distilled the 3 most common requests we heard from developers into this free protection library, in the hopes that it will help to enhance trust and confidence in serverless, which we believe is the future of cloud computing.
“FunctionShield” equips developers with the ability to easily define strict security controls on serverless functions by addressing 3 common use-cases:
- Disable outbound internet connections from the AWS Lambda runtime environment (traffic to AWS resources is automatically allowed). This capability will prevent any shady or untrusted 3rd party libraries from leaking your data
- Disable read/write disk operations on the /tmp/ directory, making the function truly ephemeral, avoiding any kind of data exposure between executions
- Disable child process execution. This capability will prevent any untrusted 3rd party library from spawning child processes and performing unauthorized actions.
How Does It Work?
FunctionShield uses a proprietary behavioral-based runtime protection engine, which enforces the behavior that you define. FunctionShield lives in and around the serverless language runtime. All you have to do is import the library into your code. No function wrapping required. FunctionShield doesn't wrap your code, or perform any kind of monkey-patching. Here's a sample snippet showing how to use FunctionShield inside your function:
FunctionShield can be downloaded for free by anyone from the following page: https://www.puresec.io/function-shield
In addition to hardening functions, the library also provides real-time deep security forensic information from inside the serverless runtime, straight to the AWS CloudWatch logging service. Here are some sample log snippets: