FunctionShield is a 100% free security library that equips developers with the ability to easily enforce strict security controls on AWS Lambda function runtime by addressing 3 common use cases:
|Disable outbound internet connectivity (except for AWS resources) from the serverless runtime environment, if such connections are not required|
|Disable read/write on the /tmp/ directory, if such operations are not required|
|Disable child process execution, if such execution is not required by the function|
In addition to the security protections provided, developers also gain tremendous security visibility when using FunctionShield, even if it's just set to "alert". With FunctionShield deployed in your functions, you can quickly get an idea of what your function is executing, who it is communicating with, and whether or not it is writing to disk.
There have been numerous cases in recent years where malicious actors created bogus software packages that look authentic, or infected existing open source packages with code that leaks sensitive data such as credentials or environment variables. According to a recent survey of 16,000 developers by NPM inc. - 77% of the respondents were concerned with the security of open source software packages. Some organizations have responded to this threat by isolating their sensitive AWS Lambda functions inside a Virtual Private Cloud (VPC) and using a NAT gateway to monitor/restrict outbound traffic. However, this VPC-based solution presents its own technical challenges.
FunctionShield uses a proprietary behavioral-based runtime protection engine, which enforces the behavior that you define. FunctionShield lives in and around the serverless language runtime. All you have to do is import the library into your code. No function wrapping required. FunctionShield doesn't wrap your code, or perform any kind of monkey-patching.
Below is a sample code snippet, demonstrating how to use FunctionShield in your AWS Lambda function:
At the moment, FunctionShield is offered with Node.js and Python support for AWS Lambda.
FunctionShield logs are sent directly to your function's AWS CloudWatch log group. Here are a few sample logs, demonstrating the log format you should expect:
If you want to test FunctionShield, we have prepared two code snippets, which you can use to force triggers: