AWS Serverless and IAM security checks

Reply
Highlighted
L1 Bithead

AWS Serverless and IAM security checks

Hello Prisma Cloud Experts,

 

I'm fairly new to CWPP and tried some native and free options and looking at commercial products now. VNETs, Traditional compute and private endpoints are not difficult to grasp, while the transition to serverless is slightly more complex.

 

What parts of the Prisma Cloud product should the customer use when assessing Serverless Lambda security?

Am I right understanding what with regards to AWS Serverless there are two modes - initial assessment (can be done without any modifications to Lambda) and continuous protection (requires some additional code to be added). What about checking IAM rules for security? Are there features in the Prisma Cloud adding additional value on the top of IAM Analizer? Is there a built-in code review for Lambda?

 

Lastly, can you please confirm that all features from PureSec, Twistlock, Evident.io and the rest are fully integrated (or perhaps discontinued) - and the only place I should be reading/looking is documentation at https://docs.paloaltonetworks.com/prisma/prisma-cloud

 

Perhaps there are too many questions for one post, and I should do my own research first. Just trying easy option asking experts first

 

Regards,

Serg


Accepted Solutions
Highlighted
L2 Linker

"Am I right understanding what with regards to AWS Serverless there are two modes - initial assessment (can be done without any modifications to Lambda) and continuous protection (requires some additional code to be added). What about checking IAM rules for security? Are there features in the Prisma Cloud adding additional value on the top of IAM Analizer? Is there a built-in code review for Lambda?'

 

So there are two aspects of the product.  All of the PureSec/TwistLock/Evident functionality is integrated.  The CSPM (Cloud Security Posture Management) side of the product has about 4 policies specific to Lambda functions but there are several others that relate to IAM in general across the cloud itself.  Here is a screenshot of the Lambda policies that don't require a "Defender" which is the snippet of code for Serverless or service that runs on a host, container etc whether on prem or in the cloud.

 

And yes, 

 https://docs.paloaltonetworks.com/prisma/prisma-cloud

 

Is the best place to navigate for the documentation which is very good.  Another very useful feature once you adopt the platform specifically in the Compute tab is the help which actually takes you directly to the updated web url for that section of the admin guide so if you want to "Learn More about this Feature" and you're in the Compute tab under the WAAS settings it shows the documentation for the Web Application and API security.  One other place that has an entirely different set of documentation that is related to the Prisma Cloud API is here:

 

api.docs.prismacloud.io/reference

 

Also in reference to the other part of your question there are several other configurable protections once you get a Defender code deployed in Lambda like that WAAS capabilities or shoring up compliance violations or protecting the functions.  Hope this helps.

View solution in original post


All Replies
Highlighted
L1 Bithead

I think i found an answer to one of my questions in Prisma Cloud Licensing and Editions Guide

 

Serverless Defender licensed per millions of invocations:

SergGur_0-1597319999246.png

Serverless function config checks are not counted (no license consumption)

SergGur_1-1597320047029.png

 

 

Highlighted
L2 Linker

"Am I right understanding what with regards to AWS Serverless there are two modes - initial assessment (can be done without any modifications to Lambda) and continuous protection (requires some additional code to be added). What about checking IAM rules for security? Are there features in the Prisma Cloud adding additional value on the top of IAM Analizer? Is there a built-in code review for Lambda?'

 

So there are two aspects of the product.  All of the PureSec/TwistLock/Evident functionality is integrated.  The CSPM (Cloud Security Posture Management) side of the product has about 4 policies specific to Lambda functions but there are several others that relate to IAM in general across the cloud itself.  Here is a screenshot of the Lambda policies that don't require a "Defender" which is the snippet of code for Serverless or service that runs on a host, container etc whether on prem or in the cloud.

 

And yes, 

 https://docs.paloaltonetworks.com/prisma/prisma-cloud

 

Is the best place to navigate for the documentation which is very good.  Another very useful feature once you adopt the platform specifically in the Compute tab is the help which actually takes you directly to the updated web url for that section of the admin guide so if you want to "Learn More about this Feature" and you're in the Compute tab under the WAAS settings it shows the documentation for the Web Application and API security.  One other place that has an entirely different set of documentation that is related to the Prisma Cloud API is here:

 

api.docs.prismacloud.io/reference

 

Also in reference to the other part of your question there are several other configurable protections once you get a Defender code deployed in Lambda like that WAAS capabilities or shoring up compliance violations or protecting the functions.  Hope this helps.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!