Contrast Security’s Serverless helps you to find and fix security issues on AWS Lambda functions deployed as containers.
The Serverless solution runs both static and dynamic scans on every supported function (depending on the runtime):
- Dynamic scanner (exploits)
- List of attacks
- Supported services (triggers) for dynamic scans
- Static Analysis Security Testing (SAST)
- Software Composition Analysis (SCA)
- Permission analysis (least privilege)
- Malware analysis
Scanning lambda functions reveals:
- Least-privilege Identity and Access Management (IAM) vulnerabilities (over-permissive policies) and remediation guidance
- The Common Vulnerabilities and Exposures (CVEs) from your libraries (vulnerable dependencies) and remediation guidance
Those findings, called the Contextual Score, are scored based on the following logic:
- The likelihood for an attacker to access the function and exploit its vulnerabilities (if vulnerabilities exist)
- The value of all the detected vulnerabilities, based on their severity
- The potential impact of each vulnerability. In other words, what an attacker could do after a successful exploitation of the function.
The AWS Lambda container feature enables users to create a combination of containers and lambdas. Customers can use the lambda application programming interface (API) or the AWS Lambda console to create lambda images defined by container image.
Development teams can then use these AWS Lambda images to easily deploy scalable serverless workloads. Such workloads rely on varying dependencies. Developers can also build and deploy larger workloads that rely on sizable dependencies: for example, workloads that entail machine learning or that are data-intensive.
Automatic scaling, high availability and native integrations with many services also benefit from the same operational simplicity.
How image lambda differs from regular lambda
There are several differences and advantages to using image lambdas, including those that affect the lambda scan:
- Image lambda code files are not located in the lambda service, but in the Amazon Elastic Container Registry (ECR). Therefore, the code is not reachable via the lambda console or lambda APIs. The benefit here is that AWS Lambda as a container uses regular container rules, which makes it easy for a developer to reuse the same accessibility rules as s/he creates with ECR containers.
- The image lambda configurations are not defined in the lambda but inside the image. Lambda’s attributes — such as permissions, handler, runtime, etc. — are accessible only from the image files.
Why scan image lambdas?
Image lambdas contain image dependencies, in addition to their own dependencies. Those dependencies might not be managed by the developer and therefore are very important to scan. If your environment contains lambda containers, you should scan them for vulnerabilities, as you do for regular lambdas.
How did we add a scanning ability to lambdas as containers?
Contrast’s existing agent — installed in the customer AWS environment — uses the image URI to extract image files, detect lambda configurations and process lambda code.
With that, Contrast can scan the image lambda and detect least privileges, CVEs, exploits, etc.
Contrast does so without exposing any data outside of the customer environment, without affecting the duration of the lambda or any component of it, and while maintaining the capability of scanning lambda updates, as for regular lambdas.
