Serverless functions

Purpose

Cisco Panoptica can scan serverless functions in AWS accounts, and evaluate them for security issues and vulnerabilities. These are shown as findings, and receive a risk score (based on an internal scoring mechanism) which help to rank the functions based on their level of risk.

Scans can reveal the following about your cloud accounts & serverless functions:

  • the presence of secrets such as keys and passwords in the functions code or environment variables
  • code vulnerabilities in opensource packages or dependencies used by functions
  • inappropriate or excessive permissions granted to functions, beyond what they actually need and use (and fix suggestions based on the Least-privilege model)
  • functions with public access exposure and access to data sources(which may be an exfiltration target)
  • "Dead" functions which are inactive for a long time
  • Authentication and Authorization of functions - verifying identified and authorized triggers to the functions

In order to scan these functions, you must provide to Panoptica details of your AWS account, with permissions to access the functions.

Connect accounts

Before Panoptica can scan and evaluate serverless functions, you must provide details about the AWS account. Each AWS region with functions must be added as a separate account.

Connect a single account

These steps will connect a single AWS account to Panoptica. In the process, the Panoptica scanner will be deployed to the account using an AWS CFT. Once connected, the account can be scanned by Panoptica.

  1. Navigate to the SERVERLESS page, and then click Connect account. You will be prompted to install the Panoptica scanner in your AWS account. This is done using a CloudFormation Stack. Click DEPLOY.
442
  1. You will redirected to your AWS account and prompted to create a CloudFormation stack. Check the box I acknowledge that AWS CloudFormation might create IAM resources with custom names, and then click Create stack.
931
  1. The stack will deploy the Panoptica scanner in your account, and grant it permissions to scan functions and send the results to the Panoptica account. When deployed, the cloud account will appear in the list of accounts, with status 'Installed'. The first scan will be triggered at the time configured above (see below).
1285

Connect multiple accounts

These steps will connect several AWS accounts (part of the same organization) to Panoptica. Once connected, each account is scanned and managed separately in Panoptica, The process uses an AWS CFT and CloudFormation Stacksets. These must be set up in your account (see Prerequisites for stack set operations) .

Each region to be scanned should be added as a separate account.

  1. Navigate to the SERVERLESS page, and click Connect multiple accounts.
  2. Copy the external ID presented on the screen, as it is used in later steps.
442
  1. Connect to your AWS management (master) account as an admin. See [Organizations terminology and concepts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html for details about Organizations in AWS) The remaining steps are performed on AWS.
  2. Navigate to CloudFormation, then select StackSets. Click Create StackSet. Ignore any AWS warnings about an AdministratorAccess policy being attached to an IAM role; this is part of the StackSet setup.
  3. Optionally, select or change the AWS region (in the upper right corner).
  4. In the Create StackSet dialog, Step 1 (Choose a template), make these selections:
    1. Select (or leave selected) Service managed permissions in Permissions.
    2. Select Template is ready.
    3. For Template source, select Amazon S3 URL, and enter this URL https://us-securecn.s3.amazonaws.com/production-template.json
    4. Click Next.
1000
  1. In Step 2 (Specify StackSet details), enter a StackSet name and description.
1430
  1. Paste the external ID value, copied above, in the ExternalID field.
  2. Click Next.
  3. In Step 3 (Configure options), click Next (no options are selected here).
  4. In Step 4 (Set deployment options), select (or leave selected) Deploy new stacks.
2117
  1. For Deployment targets, select Deploy to organization (recommended). This deploys to the entire organization. Alternatively, to deploy to selected organizational units, do not select Deploy to organization. Instead, navigate to the AWS Organizations page, and select Organize accounts, and then enter the specific AWS Organization Units (the ID is shown in the top right).
  2. For Auto deployments, leave the default settings unchanged.
  3. For Specify regions, select specific AWS regions.
  4. For large environments, set the following:
    1. Set Maximum concurrent accounts to Percentage, and set it to 50 (%).
    2. Set the Failure tolerance to Percentage, and set it to 50 (%).
    3. Change Region Concurrency to Parallel.
    4. Click Next.
  5. In the Review page, select I acknowledge that AWS CloudFormation might create IAM resources with custom names, and then click Submit.

The CFT template will connect the selected accounts to Panoptica.

Scanning

You can manually trigger a scan at any time, or you can schedule scans to be run at regular intervals.
The scan will check all functions in the account (the specific region) and indicate findings in the Functions tab. The scan is done in the user's cloud account (using a function added to the account when the account is added). The function code is not examined, and does not leave the account.

The results will include these details:

  • secrets such as keys, passwords, and suspicious variable names
  • vulnerabilities in the function's code/image or dependent packages
  • Overly permissive permissions (and their fix suggestion)
  • Environment risks (e.g. public facing, data access, inactive)

Scan now - manually triggered

In the CLOUD ACCOUNTS tab, select the account, and select Scan now at the right. This will start a scan on the functions in the account.

224

Inventory of functions and scan results (findings)

When the account is scanned, a list of serverless functions is created. You can sort or filter the list. The list also shows the findings discovered for each function during scanning, and assigns an overall risk (FUNCTION RISK).

1462

Click on a function to show details for it, including security risks (aggregated risk score) and known code vulnerabilities findings.

1406