Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
powerlifter
Employee Alumnus
Employee Alumnus

How to secure your Serverless Functions with CloudGuard Workload with a Open Serverless CICD Job

CloudGuard Workload Serverless CICD pipeline with SAST/DAST Security

https://github.com/chkp-dhouari/Lambda-CICD-Security

Deploying serverless Lambda functions on AWS using a Serverless Framework CICD pipeline with the Check Point CloudGuard Workload solution for serverless Build and Runtime security, Serverless Framework allows you to build, test and deploy serverless functions from your local machine to the cloud. Here i am buidling a simple web node.js serverless funtion and adding the Check Point CloudGuard Workload plugin to add proact plugin for SAST and FSP(Function Self Protection) for DAST or Runtime security. SAST is the scanning of of the function source code while the runtime security whitelists a function behavior.

Started a Serverless project called lamdba-cicd which will create a dir with the same name and will generate a serverless.yaml file. I have created a github repo to be used as SCM,

Please install the following before starting the lab:


Node.js > version 6.10
AWS credentials (Install AWS CLI v2 on local machine and add credentials and region during the CLI installation)
Git
Docker
The Serverless Framework (using Open Source)
https://www.serverless.com/framework/docs/providers/aws/

Please start by installing the serverless framework using the command:

npm install -g serverless

You can verify that serverless

serverless -version

dean:~ dasig$ serverless --version
Framework Core: 1.69.0
Plugin: 3.6.11
SDK: 2.3.0
Components: 2.30.10
dean:~ dasig$ 

Note: please ensure to have installed latest node.js and aws cli with aws api id and key credentials.

THe next step will be to create a serverless project or service with a runtime and directory. The template allows you to chose the runtime used by your function and path is the path of the project directory. you can point it to an existing dir or it will create on for you.


> dean:~ dasig$ serverless create --template aws-nodejs --path lambda-cicd
Serverless: Generating boilerplate...
Serverless: Generating boilerplate in "/Users/dasig/lambda-cicd"
 _______                             __
|   _   .-----.----.--.--.-----.----|  .-----.-----.-----.
|   |___|  -__|   _|  |  |  -__|   _|  |  -__|__ --|__ --|
|____   |_____|__|  \___/|_____|__| |__|_____|_____|_____|
|   |   |             The Serverless Application Framework
|       |                           serverless.com, v1.69.0
 -------'

Serverless: Successfully generated boilerplate for template: "aws-nodejs"

serverless.yml and handler.js files will be automatically generated in the service directory. the serverless.yml file contains the config and the handler.js the application source code to be packaged as a lambda fucntion.


dean:~ dasig$ cd lambda-cicd
dean:lambda-cicd dasig$ ls
README.md		node_modules		package.json		protego_output
handler.js		package-lock.json	protego-config.json	serverless.yml
dean:lambda-cicd dasig$ 

Please change dir to the Serverless project directory where your serverless.yml file is located and install the Dome9 Cloudguard workload plugin

npm install -D https://artifactory.app.protego.io/cloudguard-serverless-plugin.tgz

Get the Dome9 CloudGuard workload Token and create a protego-config.json file as follow. Place this file in the same dir as your serverless.yml file in the serverless project dir.

{
    "protegoAccessToken": "DOME9-ACCESS-TOKEN"
}

The CloudGuard plugin is added to the serverless.yaml file using the followin syntax: This can be added at the global level before all function definition to apply to all functions or per function within the function section. In my case I am doing this at the global level


plugins:
 - serverless-cloudguard-plugin

custom:
  protego:
    fsp:
      Enabled: true
    proact:
      Enabled: true
           
      StoreJobReport: true                         # default is false

      Features:
        PermissiveRole:
          Enabled:        true                     # default is true
          FailThreshold:   None                    # default is None

        VulnerableDependency:
          Enabled:        true                     # default is true
          FailThreshold:  Critical                 # default is None

        CredentialsUsage:
          Enabled:        true                     # default is true
          FailThreshold:  None                     # default is None

        RuleViolation:
          Enabled:        true                    # default is true
          FailThreshold:  None                    # default is None
      

You can chose to use any function runtime and code and that is store in the handler.js file under the serverless rpoject directory

For this test, I am using a simple node.js function as follow but could be anything and you can also include other serverless dependencies such API GW, S3 bucket, Cognito, DynamoDB etc.. depending on the application you are deploying.
$cat handler.js
'use strict';

module.exports.cgtest = async event => {
  return {
    statusCode: 200,
    body: JSON.stringify(
      {
        message: 'Go CloudGuard WorkLoad.. Your function has been secured successfully!',
        input: event,
      },
      null,
      2
    ),
  };
};

For the CICD Job, I am using GitHub as the SCM repository by adding my serverless project local directory to Git with the following commands:

git init

git add -A

git commit -m 'lambda-cicd'

git remote add origin git@github.com:chkp-dhouari/lambda-cicd-security.git

git push -u -f origin master

Note: You can configure WebHooks with Github to trigger a CICD Jobs when doing changes.

The CICD job is started using the command and we can see the proact and fsp performing the code scanning and adding the runtime security layer to the Lambda function.


dean:lambda-cicd dasig$ sls deploy
Serverless: [serverless-plugin-cloudguard: fsp] FSP:: loadDependencies 
Serverless: [serverless-plugin-cloudguard: fsp] Initializing... 
Serverless: [serverless-plugin-cloudguard: fsp] Initializing, Done. 
Serverless: [serverless-plugin-cloudguard: proact] Initializing... 
Serverless: [serverless-plugin-cloudguard: proact]  - Initializing docker (protego/protego-runtime:latest) - please wait, this action may take some time ... 
Serverless: [serverless-plugin-cloudguard: proact] Initializing, Done. 
Serverless: Packaging service...
Serverless: Excluding development dependencies...
Serverless: [serverless-plugin-cloudguard: proact]  | --- Scanning --- | please wait, this action may take some time ... 

λ: (✓) hello
-----------------------------------
	PermissiveRole : Warning (Low) - Role Too Permissive     
	VulnerableDependency : Succeeded
	CredentialsUsage : Succeeded
	RuleViolation : Succeeded
Detailed output: protego_output/hello.yaml
-----------------------------------

Number of failed functions: 0
Scan detailed output: file:////Users/dasig/lambda-cicd/protego_output/ProtegoScanResults.yaml
Scan detailed report (HTML): file:////Users/dasig/lambda-cicd/protego_output/ProtegoScanReport.html


--------------------------------------------------------
 Stored Job Id: 1588863622893_04a5ea19-d737-4cb9-bbf5-38943d860637
--------------------------------------------------------

Serverless: [serverless-plugin-cloudguard] * Adding layer to hello (nodejs12.x) ... 
Serverless: [serverless-plugin-cloudguard] Validate Packages 
Serverless: Uploading CloudFormation file to S3...
Serverless: Uploading artifacts...
Serverless: Uploading service lambda-cicd.zip file to S3 (405.81 KB)...
Serverless: Validating template...
Serverless: Updating Stack...
Serverless: Checking Stack update progress...
.........
Serverless: Stack update finished...
Service Information
service: lambda-cicd
stage: dev
region: us-east-1
stack: lambda-cicd-dev
resources: 8
api keys:
  None
endpoints:
  None
functions:
  hello: lambda-cicd-dev-hello
Serverless: 
Protego - FSP Plugin (1.4.25) Summary:

  Protected Functions:
    ✓ hello:  Protected (.serverless/lambda-cicd.zip)   <<<<<<<<<<======= FSP (Runtime Security)

Serverless: 

======================================================
|               DEPRECATION WARNING!!!               |
======================================================
WARN: serverless-protego-plugin plugin will be deprecated in coming releases.
Use serverless-cloudguard-plugin plugin instead.
Please refer to the product documentation for more details.

layers:
  None
Serverless: Publishing service to the Serverless Dashboard...
Serverless: Successfully published your service to the Serverless Dashboard: https://dashboard.serverless.com/tenants/deanj08/applications/lambda-cicd-app/services/lambda-cicd/stage/dev/region/us-east-1
dean:lambda-cicd dasig$

You can verify on the AWS console that the Lambda function was created and that the FSP runtime security has been added as a layer to that function:

 



fsp.png

 

(1)
1 Reply
Sergej_Gurenko
Collaborator

Hello, Can you please confirm the licensing for CloudGuard (Dome9) Proact Assessment? Does it count as asset or not?

It was recently announced in CloudGuard Dome9 Release Notes - Deployment Jul 21, 2020

Serverless Menu Item - 16:00 UTC

Type: Feature
Description: Lambda code scan is now available under Serverless menu item

There are some more details in Serverless Risk Assessment (Proact)

CloudGuard (Dome9) Proact Serverless protection assess the risk in serverless functions in your AWS cloud accounts. CloudGuard scans and analyzes your functions and their dependent libraries for vulnerabilities, unnecessary IAM permissions, and sensitive information such as passwords and keys. It then calculates a Posture score, based on the number, nature, and severity of vulnerabilities found, and generates alerts for each vulnerability, that indicate the specific issues and, in many cases, the actions necessary to remedy them.

New feature allows to:

  • identify over-permissive IAM roles used by serverless functions
  • identify 3rd-party libraries for vulnerabilities
  • identify hard-coded credentials, secrets, and other sensitive information in serverless code
  • identify unused functions

Not sure if it is worth to start new post, asking it here,

0 Kudos
Upcoming Events

    CheckMates Events