FunctionShield
Serverless Security Library for Developers. Regain Control over Your Serverless Runtime.
How FunctionShield helps With Serverless Security?
- By monitoring (or blocking) outbound network traffic from your function, you can be certain that your data is never leaked
- By disabling read/write operations on the /tmp/ directory, you can make your function truly ephemeral
- By disabling the ability to launch child processes, you can make sure that no rogue processes are spawned without your knowledge by potentially malicious packages
- By disabling the ability to read the function's (handler) source code through the file system, you can prevent handler source code leakage, which is oftentimes the first step in a serverless attack
Supports AWS Lambda and Google Cloud Functions
Get a free token
Please visit: https://www.puresec.io/function-shield-token-form
Install
$ npm install @puresec/function-shield
Super simple to use
const FunctionShield = require('@puresec/function-shield');
FunctionShield.configure({
policy: {
outbound_connectivity: "block",
read_write_tmp: "block",
create_child_process: "block",
read_handler: "block" },
token: process.env.FUNCTION_SHIELD_TOKEN });
exports.hello = async (event) => {
};
Logging & Security Visibility
FunctionShield logs are sent directly to your function's AWS CloudWatch log group.
Here are a few sample logs, demonstrating the log format you should expect:
{
"function_shield": true,
"policy": "outbound_connectivity",
"details": {
"host": "google.com"
},
"mode": "alert"
}
{
"function_shield": true,
"policy": "read_write_tmp",
"details": {
"path": "/tmp/node-alert"
},
"mode": "alert"
}
{
"function_shield": true,
"policy": "create_child_process",
"details": {
"path": "/bin/sh"
},
"mode": "block"
}
{
"function_shield": true,
"policy": "read_handler",
"details": {
"path": "/var/task/handler.js"
},
"mode": "alert"
}
Custom Security Policy (whitelisting)
Custom security policy is only supported with the PureSec SSRE full product.
Get PureSec