Securing AWS Lambda functions powered by Gravitron2 with Check Point CloudGuard Workload Protection

Amazon Web Services just launched support for AWS Lambda Functions powered by AWS Graviton2 processors built using 64-bit Arm Neoverse cores to deliver the best price performance for your cloud serverless workloads. This will allow customers using Amazon Web Services to not only have a broad and in depth set of compute resources but now a more optimized performance experience, and cost effectiveness. For developers, AWS Graviton2 processors enables running new applications at scale.

Graviton/ARM is a newly supported architecture for AWS Lambda functions, and Check Point CloudGuard seamlessly integrates into this environment to provide threat prevention during CI/CD through runtime.  With this integration, CloudGuard will actively protect the serverless functions, while enjoying improved performance of the Graviton2 environment. We’ve optimized the Function Self Protect layer within CloudGuard Workload Protection to run in the Graviton2 environment thereby taking advantage of all performance and cost benefits the Graviton2 environment affords.  The bottom line for customers using Cloud Guard for real-time protection of  AWS Lambda serverless apps running on Graviton2 is a 34% overall improvement in performance/price.

CloudGuard provides a comprehensive, unified view of your entire serverless ecosystem (functions, triggers, third party libraries, etc.) via the intuitive CloudGuard interface.

During runtime, the Function-Self-Protection (FSP) layer detects and blocks OWASP TOP 10 attacks at the function level, like injection, broken authentication, and sensitive data exposure. Utilizing machine based analysis and deep learning algorithms, CloudGuard builds a model of normal application and function behavior, including automatic creation of a white list of actions on a resource level. You can further define custom policies and enforce behavior on a per function level. This level of function self-protection allows for the processing to only focus on the active functions being triggered, not the entire application which helps both lower cost and improve performance.

Furthermore, CloudGuard continuously scans your serverless functions, code, and runtime environment. CloudGuard protection wraps around the serverless function itself, analyzing the application code before and after deployment for continuous security posture. This then allows for application hardening, minimizes the attack surface, and blocks attacks for that function.

CloudGuard’s breakthrough Deep Code Flow Analysis technology detects configuration risks, including overly permissive roles.

CloudGuard automatically generates least-privilege function permissions by statically analyzing the code to include permissions that have explicit paths and are required. Customers can apply The Suggested Role Remediation directly by copy/pasting into the IAM policy.

The solution also clearly outlines recommended steps for remediation, enabling you to drive remediation of security posture at scale. In addition, CloudGuard detects and alerts on configuration issues, such as over provisioned function timeout configurations. It will continuously scan your functions for known vulnerabilities and embedded secrets ensuring your applications are protected from attacks.

Through the integration of CloudGuard with AWS Lambda hosted on AWS Gravitron2, customers maintain Check Point security for their Lambda Arm-based functions while enjoying  34% price performance improvement over x86-based functions.  For a free serverless security trial for AWS, visit here.