Wondering what’s next for npm?Check out our public roadmap! »

    @puresec/function-shield

    2.0.16 • Public • Published

    FunctionShield

    Serverless Security Library for Developers. Regain Control over Your Serverless Runtime.

    How FunctionShield helps With Serverless Security?

    • By monitoring (or blocking) outbound network traffic from your function, you can be certain that your data is never leaked
    • By disabling read/write operations on the /tmp/ directory, you can make your function truly ephemeral
    • By disabling the ability to launch child processes, you can make sure that no rogue processes are spawned without your knowledge by potentially malicious packages
    • By disabling the ability to read the function's (handler) source code through the file system, you can prevent handler source code leakage, which is oftentimes the first step in a serverless attack

    Supports AWS Lambda and Google Cloud Functions

    Get a free token

    Please visit: https://www.puresec.io/function-shield-token-form

    Install

    $ npm install @puresec/function-shield

    Super simple to use

    const FunctionShield = require("@puresec/function-shield");
    FunctionShield.configure({
        policy: {
            // "block" mode => active blocking
            // "alert" mode => log only
            // "allow" mode => allowed, implicitly occurs if key does not exist
            outbound_connectivity: "block",
            read_write_tmp: "block", 
            create_child_process: "block",
            read_handler: "block" },
        token: process.env.FUNCTION_SHIELD_TOKEN });
     
    exports.hello = async (event) => {
        // ... // your code
    };

    Logging & Security Visibility

    FunctionShield logs are sent directly to your function's AWS CloudWatch log group. Here are a few sample logs, demonstrating the log format you should expect:

    // Log example #1:
    {
        "details": {
            "host": "microsoft.com",
            "ip": "13.77.161.179"
        },
        "function_shield": true,
        "timestamp": "2019-06-19T09:08:00.455144Z",
        "policy": "outbound_connectivity",
        "mode": "block"
    }
     
    // Log example #2:
    {
        "details": {
            "path": "/tmp/block"
        },
        "function_shield": true,
        "timestamp": "2019-06-19T09:08:00.422553Z",
        "policy": "read_write_tmp",
        "mode": "block"
    }
     
    // Log example #3:
    {
        "details": {
            "arguments": [
                "uname",
                "-a"
            ],
            "path": "/bin/uname"
        },
        "function_shield": true,
        "timestamp": "2019-06-19T09:08:00.469822Z",
        "policy": "create_child_process",
        "mode": "block"
    }
     
    // Log example #4:
    {
        "details": {
            "path": "/var/task/handler.js"
        },
        "function_shield": true,
        "timestamp": "2019-06-19T09:08:00.433942Z",
        "policy": "read_handler",
        "mode": "block"
    }

    Reconfiguring FunctionShield

    FunctionShield.configure can be called multiple time to temporary disable one of the policies.

    Note that you need to add an additional parameter cookie to any subsequent call to FunctionShield.configure.

    const FunctionShield = require("@puresec/function-shield");
    const got = require("got");
    const cookie = FunctionShield.configure({
        policy: {
            outbound_connectivity: "block",
            read_write_tmp: "block",
            create_child_process: "block",
            read_handler: "block"
        },
        token: process.env.FUNCTION_SHIELD_TOKEN
    });
     
    exports.hello = async (event) => {
        ...
        FunctionShield.configure({
            cookie: cookie,
            policy: {
                outbound_connectivity: "allow"
            }
        });
     
        const response = await got("https://api.company.com/users");
     
        FunctionShield.configure({
            cookie: cookie,
            policy: {
                outbound_connectivity: "block"
            }
        });
        ...
    };

    Custom Security Policy (whitelisting)

    Custom security policy is only supported with the PureSec SSP full product.

    Get PureSec

    Install

    npm i @puresec/function-shield

    DownloadsWeekly Downloads

    1,651

    Version

    2.0.16

    License

    CC-BY-ND-4.0

    Unpacked Size

    408 kB

    Total Files

    3

    Last publish

    Collaborators

    • avatar
    • avatar