Use Application Security layer to protect AWS Lambda functions

Application Security provides security layers for protecting AWS lambda functions. The security layers includes all the security controls for Lambda functions self protection.

This is supported only by Python and Node.js programming languages.

Adding protection to your Lambda function is simple and only requires adding the Application Security layer and adding the required configuration for the handler and the security layer. The installation and configuration are dependant on the function programming language and on the version of Amazon Linux.

Configuring the protection layer in AWS Lambda

  1. In your AWS account, go to Lambda > Functions and select the function you'd like to protect.
  2. In the Function Overview, select Layers to be taken to the layers configuration view.
  3. Select Add layer. On the Choose a layer view, select Specify an ARN. Specify the Application Security protection layer ARN in the text box Specify an ARN. Find the appropriate ARN in Python layers for AWS Lambda or NodeJS layers for AWS Lambda. Screenshot
  4. Configure the required Runtime:
    • From the function overview, scroll to the Runtime settings panel, then select Edit, then select the required Runtime from the menu. Note that the layer and runtime selected must be the ones related to the function's programming language. Screenshot

The configuration to enable the security layer and for the handler, depend on the function programming language and the Amazon Linux version.

Configuring the handler for Python 3.8 on Amazon Linux 2

To configure the handler, when using python 3.8 on Amazon Linux 2, set the following environment variable to the given value:

AWS_LAMBDA_EXEC_WRAPPER=/opt/trend_app_protect
The value to configure in the Handler text box depends on the programming language, the filename and the function name. For python the handler is set to <filename>.<function name>. Refer to AWS' documentation for more details.

Configuring the handler when using Python version prior to 3.8, on Amazon Linux

When running Python 3.7 on Amazon Linux, the handler needs to be set up to call the Application Security handler, which in turn will call your function handler. Do the following: 1- set the handler to trend_app_protect_handler.handler 2- set the environment variable to your function handler:

TREND_AP_HANDLER=<filename>.<function name>

Configuring the handler for any versions of NodeJS

To configure the handler, when using any versions of NodeJS, set the following environment variable:

AWS_LAMBDA_EXEC_WRAPPER=/opt/trend_app_protect
The value to configure in the Handler text box depends on the programming language, the filename and the function name. For NodeJS the handler is set to <filename>.<name of the exported handler module>. Refer to AWS' documentation for more details.

  1. In order for the Application Security layer to protect your function, the Application Security group Key and Secret need to be configured as environment variables, for your function. In the Environment variables section, enter the values as seen in the below screenshot. Screenshot

To find your Application Security group Key and Secret, go to the Application Security dashboard and navigate to your group's setting page. The Key and Secret are displayed under Group Credentials.

Amazon Resource Names (ARNs)

The Application Security protection layer is available in multiple AWS regions.

The protection layer ARN depends on the lambda function programming language and the language version. The ARN structure for the protection layer is:

arn:aws:lambda:<aws region>:800880067056:layer:CloudOne-ApplicationSecurity-<language>:<layer version>
- aws region = eu-north-1, ap-south-1, eu-west-1, eu-west-2, eu-west-3, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, sa-east-1, ca-central-1, eu-central-1, us-east-1, us-east-2, us-west-1, or us-west-2

Languages versions for AWS Lambda protection layer

Language Layer Version Description
python 1 For python 3.7 and 3.8
nodejs10_x 1 For NodeJS 10
nodejs12_x 1 For NodeJS 12
nodejs14_x 1 For NodeJS 14

For example: If a lambda function is deployed in region us-east-1 and implemented with Python 3.7, the ARN is:

arn:aws:lambda:us-east-1:800880067056:layer:CloudOne-ApplicationSecurity-python:1

Additional configuration for Lambda on AWS official runtimes

When using the Application Security protection layer, some additional configuration needs to be set as environment variables. Add the following in addition to the TREND_AP_KEY and TREND_AP_SECRET

Screenshot

TREND_AP_KEY: < key from Application Security Dashboard >
TREND_AP_SECRET: < secret from Application Security Dashboard >
TREND_AP_READY_TIMEOUT: 30
TREND_AP_TRANSACTION_FINISH_TIMEOUT: 10
TREND_AP_MIN_REPORT_SIZE: 1
TREND_AP_INITIAL_DELAY_MS: 1
TREND_AP_MAX_DELAY_MS: 100
TREND_AP_HTTP_TIMEOUT: 5
TREND_AP_PREFORK_MODE: False
TREND_AP_CACHE_DIR: /tmp/trend_cache
TREND_AP_LOG_FILE: STDERR

For more information about configuring environment variables, see Environment variables.