Metadata-Version: 2.0
Name: function-shield
Version: 1.1.2
Summary: UNKNOWN
Home-page: UNKNOWN
Author: PureSec
Author-email: support@puresec.io
License: UNKNOWN
Platform: UNKNOWN
Description-Content-Type: text/markdown


# FunctionShield

> AWS Lambda Security Library for Developers. Regain Control over Your Serverless Runtime.

## How FunctionShield helps With AWS Lambda Security?
* By monitoring (or blocking) outbound network traffic from your function, you can be certain that your data is never leaked
* By disabling read/write operations on the /tmp/ directory, you can make your function truly ephemeral
* By disabling the ability to launch child processes, you can make sure that no rogue processes are spawned without your knowledge by potentially malicious packages
* By disabling the ability to read the function's (handler) source code through the file system, you can prevent handler source code leakage, which is oftentimes the first step in a serverless attack 

## Get a free token

Please visit: https://www.puresec.io/function-shield-token-form

## Install

```sh
$ pip install function-shield
```

## Super simple to use

```python
import function_shield

function_shield.configure({
    "policy": {
        # 'block' mode => active blocking
        # 'alert' mode => log only
        # 'allow' mode => allowed, implicitly occurs if key does not exist
        "outbound_connectivity": "block",
        "read_write_tmp": "block",
        "create_child_process": "block",
        "read_handler": "block"
    },
    "token": os.environ['FUNCTION_SHIELD_TOKEN']
})

def handler(event, context):
    # Your Code Here #
```

## Logging & Security Visibility
FunctionShield logs are sent directly to your function's AWS CloudWatch log group.
Here are a few sample logs, demonstrating the log format you should expect:
```js
// Log example #1:
{
    "function_shield": true,
    "policy": "outbound_connectivity",
    "details": {
        "host": "google.com"
    },
    "mode": "alert"
}

// Log example #2:
{
    "function_shield": true,
    "policy": "read_write_tmp",
    "details": {
        "path": "/tmp/node-alert"
    },
    "mode": "alert"
}

// Log example #3:
{
    "function_shield": true,
    "policy": "create_child_process",
    "details": {
        "path": "/bin/sh"
    },
    "mode": "block"
}

// Log example #4:
{
   "function_shield": true,
   "policy": "read_handler",
   "details": {
       "path": "/var/task/handler.js"
   },
   "mode": "alert"
}
```

## Custom Security Policy (whitelisting)
Custom security policy is only supported with the PureSec SSRE full product.

[Get PureSec](https://www.puresec.io/product)


