Topics on this page
Use custom runtime container images to protect AWS Lambda functions packaged as container images
AWS Lambda enables Lambda functions to be packaged and deployed as container images. Application Security provides custom protection images that can be leveraged to protect Lambda functions packaged as container images.
Adding protection to your functions packaged as container images is simple: you use Application Security's custom runtime container images as the base image for your container image, and provide the environment variables configuration.
Leverage the customer protection images with python functions
Assume the following function code part of a container image package.
app.py
import ...
def handler(event, context):
<Your function handler code here>
In order to leverage Application Security's protection for the function packaged as a container image, the Application Security's custom runtime container image is used as the base image for the function image. For example, the Docker file for creating the container image with the function code would be:
Dockerfile
FROM **public.ecr.aws/cloudone_application_security/lambda-python:3.7.10-9**
...
COPY app.py .
...
CMD ["app.handler"]
Leverage the customer protection images with Nodejs functions
Assume the following function code part of a container image package.
app.js
...
exports.handler = async (event, context) => {
// Implement code here
return response;
};
In order to leverage Application Security's protection for the function packaged as a container image, the Application Security's custom runtime container image is used as the base image for the function image. For example, the Docker file for creating the container image with the function code would be:
Dockerfile
FROM public.ecr.aws/cloudone_application_security/lambda-node:12.22.1-9
...
COPY app.js package.json ./
RUN npm install
...
CMD ["app.handler"]
The Application Security protection base container images are available from AWS ECR Public Gallery, in repositories lambda-node and lambda-python.
To view the list of all available base images:
search for: lambda-node or lambda-python
The following table lists the programming languages for which Application Security base images are available:
programming languages | base image location |
---|---|
python | https://gallery.ecr.aws/cloudone_application_security/lambda-python |
nodejs | https://gallery.ecr.aws/cloudone_application_security/lambda-node |
Once your container image is created you can deploy it with AWS Lambda. When deploying the container image, the required configuration needs to be provided in order for the Application Security protection container image to connect to Application Security service. Refer to Configuration Options for Application Security runtime protection