Use custom runtime container images to protect AWS Lambda functions packaged as container images

AWS Lambda enables Lambda functions to be packaged and deployed as container images. Application Security provides custom protection images that can be leveraged to protect Lambda functions packaged as container images.

Adding protection to your functions packaged as container images is simple: you just need to use Application Security's custom runtime container images as the base image for your container image, and provide the environment variables configuration.

Leverage the customer protection images with python functions

Assume the following function code part of a container image package.

app.py

import ...


def handler(event, context):
    <Your function handler code here>

In order to leverage Application Security's protection for the function packaged as a container image, the Application Security's custom runtime container image is used as the base image for the function image. For example, the Docker file for creating the container image with the function code would be:

Dockerfile

FROM **public.ecr.aws/cloudone_application_security/lambda-python:3.7.10-9**
...
COPY app.py .
...
CMD ["app.handler"]

Leverage the customer protection images with Nodejs functions

Assume the following function code part of a container image package.

app.js

...
exports.handler = async (event, context) => {
    // Implement code here
    return response;
};
In order to leverage Application Security's protection for the function packaged as a container image, the Application Security's custom runtime container image is used as the base image for the function image. For example, the Docker file for creating the container image with the function code would be:

Dockerfile

FROM public.ecr.aws/cloudone_application_security/lambda-node:12.22.1-9
...
COPY app.js package.json ./
RUN npm install
...
CMD ["app.handler"]

The Application Security protection base container images are available from AWS ECR Public Gallery, in repositories lambda-node and lambda-python.

To view the list of all available base images:

https://gallery.ecr.aws/

search for: lambda-node or lambda-python

The following table lists the programming languages for which Application Security base images are available:

programming languages base image location
python https://gallery.ecr.aws/cloudone_application_security/lambda-python
nodejs https://gallery.ecr.aws/cloudone_application_security/lambda-node

Once your container image is created you can deploy it with AWS Lambda. When deploying the container image, the required configuration needs to be provided in order for the Application Security protection container image to connect to Application Security service. Refer to Configuration Options for Application Security runtime protection