Serverless Defenders protect your serverless functions at runtime. Currently, Twistlock supports AWS Lambda functions.
Serverless Defenders monitor your functions to ensure they execute as designed. Per-function policies let you define:
Process whitelists. Enables verification of launched subprocesses against policy.
Outgoing network connections whitelists. Enables verification of domain name resolution against policy for outgoing network connections.
To secure an AWS Lambda function, embed the Twistlock Serverless Defender into it. The steps are:
Download a ZIP file that contains your function source code and dependencies.
Define your policy.
Embed the Serverless Defender into the function’s ZIP archive.
Upload the updated ZIP file to AWS.
Define a policy in Twistlock Console before embedding the Serverless Defender into your function. The embed process retrieves the relevant policy from Console and adds it the function’s ZIP file, where Serverless Defender can read it and enforce it. By default, there are no rules in the serverless runtime policy, so be sure to create at least one rule.
By default, new rules apply to all functions (*
), but you can target them to specific functions using pattern matching.
Log into Twistlock Console.
Go to Defend > Runtime > Serverless Policy.
Click Add rule.
Specify the rule parameters.
Target the policy to specific functions.
By default, new rules apply to all functions (*
), but you can target them to specific functions using pattern matching.
Click Save.
You can embed the Serverless Defender into your function from the Console UI. Use this method when you are testing Serverless Defender or you have just a handful of functions. If you have a lot of functions, use twistcli to automate the embed process.
Export your function from AWS as a ZIP file.
From Lambda’s code editor, click Actions > Export function.
Click Download deployment package. Your function is downloaded to your host as a ZIP file.
Open Twistlock Console.
Go to Manage > Defenders > Deploy.
Embed Serverless Defender into your function.
Choose the DNS name or IP address Serverless Defender uses to connect to Console.
In Choose Defender type, select Serverless.
For Deployment type, select Embedded.
Enter a Function name, such as lambda_function.lambda_handler.
You should have already created a runtime rule under Defend > Runtime > Serverless Policy with a matching function name. Otherwise, Serverless Defender won’t have any policy to enforce.
Select a Runtime. Both Python 3.6 and Node.js 8.10 are supported.
Upload a ZIP bundle of your function.
Click Create Embedded ZIP. Serverless Defender is embedded in your function, and it is downloaded to your host.
Upload the new ZIP file to AWS.
In Designer, select your function so that you can view the function code.
Under Code entry type, select Upload a .ZIP file.
Specify a runtime and the handler.
Validate that Runtime is either Python 3.6 or Node.js 8.10, and that Handler points to the function’s entry point.
Click Upload.
Click Save.
This method for embedding the Serverless Defender was designed to seamlessly integrate into the CI/CD pipeline. There is a clean separation between the code developers produce from the functions we protect. Developers don’t need to change their code to accommodate Twistlock. They don’t need to load any special libraries, add any files, or change any manifests. When the code is ready to be deployed to test or production, run twistcli to automatically embed Serverless Defender into the function, then leverage AWS tools to tag, version, and upgrade your functions.
Your pipeline will probably call twistcli twice: once to scan the image for vulnerabilities, and then later in the pipeline to embed Serverless Defender. Be sure to use a naming scheme that clearly delineates protected and unprotected functions.
Save the example code to your local machine as main.py.
Zip the code. The following command creates a ZIP file named lambda.zip
$ zip lambda main.py
Embed the serverless Defender.. The following command generates a new ZIP file named twistlock_lambda.zip.
$ ./twistcli serverless embed \ --address https://<TWISTLOCK_CONSOLE>:8083 \ --console-host <TWISTLOCK_CONSOLE>:8084 (Optional Parameter, if Defender is using different than above) \ --user <TWISTLOCK_CONSOLE_USER> \ --function <AWS_LAMBDA_FUNCTION_NAME> \ --runtime python3.6 \ --handler main.handler \ lambda.zip
Review the contents of the new ZIP file. There is a new directory named twistlock/ that holds the policy (config) and the Serverless Defender (libtw_serverless.so).
$ zipinfo twistlock_lambda.zip Archive: twistlock_lambda.zip Zip file size: 20036 bytes, number of entries: 5 -r--r--r-- 2.0 unx 624 bX defN 18-Jul-28 10:08 main.py drwxr-xr-x 2.0 unx 0 bX stor 18-Jul-28 10:08 twistlock/ -rw-r--r-- 2.0 unx 208 bX defN 18-Jul-28 10:08 twistlock/config -r--r--r-- 2.0 unx 46136 bX defN 18-Jul-28 10:08 twistlock/libtw_serverless.so -r--r--r-- 2.0 unx 123 bX defN 18-Jul-28 10:08 twistlock/serverless.py 5 files, 47091 bytes uncompressed, 19294 bytes compressed: 59.0%
Upload the new ZIP file to AWS.
In Designer, select your function so that you can view the function code.
Under Code entry type, select Upload a .ZIP file.
Specify a runtime and the handler.
Validate that Runtime is Python 3.6 or Node.js 8.10, and that Handler points to the function’s entry point.
Click Upload.
Click Save.