No project description provided
Project description
FunctionShield
Serverless Security Library for Developers. Regain Control over Your Serverless Runtime.
How FunctionShield helps With Serverless Security?
By monitoring (or blocking) outbound network traffic from your function, you can be certain that your data is never leaked
By disabling read/write operations on the /tmp/ directory, you can make your function truly ephemeral
By disabling the ability to launch child processes, you can make sure that no rogue processes are spawned without your knowledge by potentially malicious packages
By disabling the ability to read the function’s (handler) source code through the file system, you can prevent handler source code leakage, which is oftentimes the first step in a serverless attack
Supports AWS Lambda and Google Cloud Functions
Get a free token
Please visit: https://www.puresec.io/function-shield-token-form
Install
$ pip install function-shieldSuper simple to use
import function_shield
function_shield.configure({
"policy": {
# "block" mode => active blocking
# "alert" mode => log only
# "allow" mode => allowed, implicitly occurs if key does not exist
"outbound_connectivity": "block",
"read_write_tmp": "block",
"create_child_process": "block",
"read_handler": "block"
},
"token": os.environ["FUNCTION_SHIELD_TOKEN"]
})
def handler(event, context):
# Your Code Here #Logging & Security Visibility
FunctionShield logs are sent directly to your function’s AWS CloudWatch log group. Here are a few sample logs, demonstrating the log format you should expect:
// Log example #1:
{
"details": {
"host": "microsoft.com",
"ip": "13.77.161.179"
},
"function_shield": true,
"timestamp": "2019-06-19T09:08:00.455144Z",
"policy": "outbound_connectivity",
"mode": "block"
}
// Log example #2:
{
"details": {
"path": "/tmp/block"
},
"function_shield": true,
"timestamp": "2019-06-19T09:08:00.422553Z",
"policy": "read_write_tmp",
"mode": "block"
}
// Log example #3:
{
"details": {
"arguments": [
"uname",
"-a"
],
"path": "/bin/uname"
},
"function_shield": true,
"timestamp": "2019-06-19T09:08:00.469822Z",
"policy": "create_child_process",
"mode": "block"
}
// Log example #4:
{
"details": {
"path": "/var/task/handler.py"
},
"function_shield": true,
"timestamp": "2019-06-19T09:08:00.433942Z",
"policy": "read_handler",
"mode": "block"
}Reconfiguring FunctionShield
function_shield.configure can be called multiple time to temporary disable one of the policies.
Note that you need to add an additional parameter cookie to any subsequent call to function_shield.configure.
import function_shield
import requests
cookie = function_shield.configure({
"policy": {
"outbound_connectivity": "block",
"read_write_tmp": "block",
"create_child_process": "block",
"read_handler": "block"
},
"token": os.environ["FUNCTION_SHIELD_TOKEN"]
})
def handler(event, context):
...
function_shield.configure({
"cookie": cookie,
"policy": {
"outbound_connectivity": "allow"
}
})
r = requests.get("https://api.company.com/users")
function_shield.configure({
"cookie": cookie,
"policy": {
"outbound_connectivity": "block"
}
})
...Custom Security Policy (whitelisting)
Custom security policy is only supported with the PureSec SSP full product.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file function-shield-2.0.16.tar.gz.
File metadata
- Download URL: function-shield-2.0.16.tar.gz
- Upload date:
- Size: 72.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.15.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/20.7.0 requests-toolbelt/0.9.1 tqdm/4.36.1 CPython/3.5.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | ddf229c042ff787c4905884e37e39a9a9e50b3e36a3b39d7c5acc141964968fd |
|
| MD5 | d6e1f58b3e830b16490efb8054b0d425 |
|
| BLAKE2b-256 | 904539478cabcfaeea7c4bd38df028d15cccdb09182f28e9b0e2a9a0d63b37e5 |
