Serverless Policy rules manage the use of serverless functions in your AWS and Azure accounts, according to conditions that you define. You can select the functions on which the policy applies according to a range of parameters, including name, account, region, risk, vulnerabilities, etc. As with all Runtime Policies, you can choose to block the function from being run, allow it, or allow with a notification (detect).
Risks and vulnerabilities for serverless functions are determined when the functions are scanned . You can see the inventory of functions, and details for risks, vulnerabilities, and more, in the SERVERLESS page.

Create a Serverless Rule

There are two steps in creating a Serverless Policy rule
STEP 1 - set the rule property
STEP 2 - select the functions covered by the rule

STEP 1 - set Rule Properties

In this step, you select the action to be taken if the policy is applied to a function.

1. Click New Serverless rule.

2. Enter a name for the rule.
3. Select the action to be taken if the rule is applied to a function:

• Allow serverless functions to run - the functions covered by the rule will be allowed to run in the selected cloud accounts
• Detect serverless functions that violate the following rule - the functions covered by the rule will be allowed to run in the selected cloud accounts, and a notification event will be recorded
• Block serverless functions that violate the following rule - the functions covered by the rule will be blocked from running in the selected cloud accounts.
  Note - if selected, functions are blocked using the AWS-level function block. A tag is added to the function, "blocked by Cisco", and the concurrency is set to 0.

1. Click NEXT.

STEP 2 - select the functions covered by the rule
In this step, you select which functions are covered by the rule. The functions selected are the combination (AND) of all the options below. Risk and vulnerability levels are determined when the functions are scanned.

1. Select how the functions for the rule are selected:

• By name - select functions by their name. Enter names in the search box. You can select more than one function.
• By ARN - select functions by their Amazon Resource Name or Azure Resource ID. Enter a Name/ID – or part of one – in the search box . You can select more than one.
• Any - this selects all the functions

2. Select the following parameters, to further define the functions for the rule:

• Scope - the environment in which the functions are used, selected from a list. If you've selected an AWS function, you can further select the Region. Functions in the selected environment and regions are selected.
• Total risk level - functions with risk equal to or above the selected level are selected
• Vulnerability level - functions with vulnerability level equal to or above the selected level are selected
• Visible secrets risk level - functions with secrets written in plain text in the function code; you can select functions that contain them, or those that do not
• Function Permissions risk - functions with an assessed permissions risk equal to or above the selected level are selected
• Public accessibility risk - functions that can be accessed externally (that is, they are public-facing)
• Data access - functions that access data
• Unused function - functions not used for 30 days

3. Click FINISH.
   The rule is created, and appears in the list of Serverless rules. You can reposition the rule in the list by dragging it up or down.

Default Serverless Rule

There is a Default Serverless rule, that can be modified, but not removed or disabled. By default, the rule selects all functions, and allows them to run on all accounts. This rule is positioned last, after all other rules.
You can modify the action for the rule, to Allow or Block functions.