arn:partition:service:region:account-id:resource
Twistlock Labs has developed compliance checks for serverless functions. Currently, only AWS Lambda is supported.
In AWS Lambda, every function has an execution role. Execution roles are identities with permission policies that control what functions can and cannot do in AWS. When you create a function, you specify an execution role. When the function is invoked, it assumes this role.
When Twistlock scans the functions in your environment, it inspects the execution role for overly permissive access to AWS services and resources. Two fields are inspected: resource and action.
Specifies the objects to which the permission policy applies. Resources are specified with ARNs. ARNs let you unambiguously specify a resource across all of AWS. ARNs have the following format:
arn:partition:service:region:account-id:resource
Where:
service
— Identifies the AWS product, such as Amazon S3, IAM, or CloudWatch Logs.
resource
— Identies the objects in the service.
It often includes the resource type, followed by the resource name itself.
For example, the following ARN uniquely identifies the user Francis in the IAM service:
arn:aws:iam::586975633310:user/Francis
Describes the tasks that can be performed on the service. For example, ec2:StartInstances, iam:ChangePassword, and s3:GetObject. Wildcards can be used to grant access to all the actions of a given AWS service. For example, s3:* applies to all S3 actions.
The following permission policy is tightly scoped. It grants read-write only access to the Books table. Twistlock would not flag an execution role with this type of permissions policy.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem"
],
"Resource": "arn:aws:dynamodb:us-east-1:125643784111:table/Books"
}
}
The following permissions policy has been implemented carelessly. It allows all DyanmoDB operations on all tables owned by the AWS account in the current region, including dynamodb:DeleteTable, which has serious implications for the integrity and availability of your data. This type of configuration would raise compliance check 437 because the execution role permits all DyanmoDB operations, and it’s unlikely a function actually needs this range of capabilities.
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllAPIActionsOnBooks",
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "*"
}
}
The following checks are supported:
Detects when functions contain environments vars, such as MYSQL_PASSWORD, that expose sensitive information.
Detects private keys in functions.
Detects functions that have permission to run all actions on all services and their resources.
Detects functions that have permission to run all actions on one or more services.
Detects functions that granted access to all resources in one or more services.
Detects functions that have permission to run actions that are used in exploits and attacks. Includes things like cloudtrail:StopLogging, cloudtrail:UpdateTrail that allow disabling and changing the output of CloudTrail logging.
Configure Twistlock to periodically scan your serverless functions. Function scanning is handled by Defender. Console dynamically selects an available Defender to execute the scan job.
Open Console.
Go to Defend > Vulnerabilities > Functions.
Click Add serverless account.
In the dialog, enter the following settings:
In Provider, select AWS Lambda.
Specify a Region.
Specify a function name.
Wildcards are supported. See the table at the top of the page for the supported syntax and examples.
Select or create credentials so that Twistlock can access your account.
Specify either an AWS IAM user credential (access key ID and secret access key) or IAM role.
Specify a cap for the number of functions to scan.
Twistlock scans the X most recent functions, where X is the cap value.
Click Add.
Click the yellow save button.
To view the scan report, go to Monitor > Compliance > Functions.