Aqua Blog

Aqua Secures Container Image Support in AWS Lambda

Aqua Secures Container Image Support in AWS Lambda

Amazon continues to build new capabilities into its serverless operational mode and has launched container image support in AWS Lambda. It enables packaging and deploying Lambda functions as container images. Building on our strong partnership with AWS and our desire to offer the most complete cloud-native security solution, Aqua Security now includes advanced security capabilities that incorporate this new Lambda feature.

Serverless has been the fastest-growing cloud service since the introduction of AWS Lambda in 2014. What started as an event-driven service for the execution of code snippets, now spans 140 AWS services and is an integral part of distributed serverless architectures. It was an innovative concept to shield users from infrastructure concerns and provide a simple execution environment. After recognizing the potential, Aqua officially began securing serverless workloads beginning in early 2018.

Containers are an indispensable building block

Containers, and the rich ecosystem that comes with it, are a critical part of modern application development and deployment. This new feature from AWS will help customers ramp up the adoption of serverless technologies by enabling them to leverage the same DevOps tools and processes they already use to pave the way into the serverless ecosystem. As a bonus, it provides another local testing solution for your Lambda function, via AWS Lambda Runtime Interface Emulator (RIC) that emulates the Runtime API behavior, which can be easily plugged into the CI/CD workflows.

The Serverless attack surface

Inherent within its design, serverless logically minimizes attack options. That, paired with the concept of microVMs, successfully provide a high degree of isolation down to the kernel-level. But as a consequence, it redirects the attacker’s attention to the more exposed target which is the application layer.

Being an event-oriented service that can run any type of code across various runtimes, Lambda can stitch together a variety of different AWS services. Functions can get triggered and obtain their marching orders from a multitude of event sources, which further contribute to the increasing attack surface. To prevent these services from providing an avenue for attack, customers need to pay attention to how they structure and secure the event payload.

Functions typically serve as “code glue” that bind together various managed services to make up the overall business logic. Typically, in serverless architectures, multiple functions interact in service-to-service communication, hence it is important to apply granular least privilege permissions regarding each function.

Aqua Enterprise security platform

As a cloud native security company, securing containers has always been a part of Aqua’s DNA, but was extended to include protecting serverless functions. Our platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, cloud infrastructure, and running workloads anywhere you want to deploy.

For anyone using this new Lambda feature, we can deliver a consistent security experience across container and serverless workloads alike. You’ll be able to leverage familiar DevSecOps tools and processes, embedded with our proven Aqua image scanner, to effortlessly apply them to your serverless application development. You can also take advantage of granular control over the security posture of your serverless applications and set policies for production.

Secure from the start

A Lambda function is a light-weight piece of code with an extremely short execution time. By securing the build, we support the DevSecOps methodology to shift left, detect issues early, and fix smartly to produce clean artifacts. Aqua has a powerful and accurate image scanner that seamlessly integrates into any CI/CD workflow to weed out bad configurations, embedded secrets, and vulnerabilities while minimizing false positives.

ci-cd-lambda

You can also configure granular compliance gates in Aqua, achieved through Assurance Policies. These provide several meaningful security controls to create a compliance criterion that meets your security tolerance. Failure to meet these requirements can result in the artifact being marked as non-compliant. Furthermore, you can then set it to fail the Aqua scanner step in the CI/CD pipeline, making sure that only clean code gets pushed to the ECR registry, which eventually becomes a Lambda function.

Aqua provides you with a comprehensive report complete with valuable on-point information detailing the security controls that failed and how to remediate them.

non-compliant

Securing third-party code

Serverless functions are the purest form of microservices, performing a deterministic set of things to achieve a single purpose. But in the end, it’s just a piece of code — and nobody writes code from scratch anymore. Typically, developers heavily rely on third-party packages and even open-source libraries to cobble something together. As a result, the risk of inheriting something malicious by way of these channels is pretty high. And now that your Lambda code, with all its third-party dependencies, can take the form of a container image, your application is exposed to the same risks living in your containers.

Fortunately, the same knowledge and security features developed by us for container images can now also be extended to serverless functions. These can be applied in the form of Assurance Policies for preventative measures. They allow you to get as granular as you want, enabling you to block certain packages, add custom compliance scripts, scan for embedded sensitive data, just to name a few. One compelling use-case for functions packaged as container images is the ability to allow certain approved base images to be used by your functions. These can be the runtime images provided by AWS Lambda as official base images.

assurance

Most developers deploy Lambda functions and move on. Over time, these functions start to age and if not properly managed, risk seeps in. Containerization of function code not only simplifies the packaging of serverless applications but also their management. These functions packaged as container images can be easily pushed to ECR where they can be periodically scanned for security risks throughout their lifetime.

registry

With Aqua, you can easily integrate your ECR registry that is staging these container images and configure a scheduled automatic scan for risks.

In a nutshell

Good security shouldn’t take anything away from your Lambda experience. By employing a consistent methodology and developing consistent security controls to secure both containers and serverless functions, the marriage of AWS Lambda and container development toolchains is easy to support within Aqua, making the user experience even more seamless than before.

We at Aqua believe that adopting a preventive security approach that identifies and mitigates potential risks in the build phase, and dramatically reduces the attack surface, can vastly improve the security posture of serverless applications.

Aqua Team
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and accelerate their digital transformations. The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure and secure running workloads wherever they are deployed. Aqua customers are among the world’s largest enterprises in financial services, software, media, manufacturing and retail, with implementations across a broad range of cloud providers and modern technology stacks spanning containers, serverless functions and cloud VMs.