1

I'm trying to implement a custom AWS Lambda layer in order to use it with my functions.
It should be a simple layer that gets some parameter from ssm and initialize puresec's function_shield for protection of my services.
The code looks more less like this:

import os
import boto3
import function_shield as shield


STAGE = os.environ['stage']
REGION = os.environ['region']
PARAMETERS_PREFIX = os.environ['parametersPrefix']


class ParameterNotFoundException(Exception):
    pass


session = boto3.session.Session(region_name=REGION)
ssm = session.client('ssm')

# function_shield config
parameter_path = f"/{PARAMETERS_PREFIX}/{STAGE}/functionShieldToken"

try:
    shield_token = ssm.get_parameter(
        Name=parameter_path,
        WithDecryption=True,
    )['Parameter']['Value']

except Exception:
    raise ParameterNotFoundException(f'Parameter {parameter_path} not found.')


policy = {
    "outbound_connectivity": "block",
    "read_write_tmp": "block",
    "create_child_process": "block",
    "read_handler": "block"
}


def configure(p):
    """
    update function_shield policy
    :param p: policy dict
    :return: null
    """
    policy.update(p)
    shield.configure({"policy": policy, "disable_analytics": True, "token": shield_token})


configure(policy)

I want to be able to link this layer to my functions for it to be protected in runtime.
I'm using the serverless framework, and it seems like my layer was deployed just fine, as it was with my example function. Also, the AWS console shows me that the layer was linked in my function.

I named my layer 'shield' and tried to import it by its name on my test function: 

import os
import shield


def test(event, context):
    shield.configure(policy)  # this should be reusable for easy tweaking whenever I need to give more or less permissions to my lambda code.
    os.system('ls')

    return {
        'rep': 'ok'
    }

Ideally, I should get and error on CloudWatch telling me that function_shield has prevented a child_process from running, however I instead receive an error telling me that there is no 'shield' declared on my runtime.

What am I missing? I couldn't find any custom code examples being used for layers apart from numpy, scipy, binaries, etc.

I'm sorry for my stupidity...
Thanks for your kindness!

Improve this question

1 Answer 1

Reset to default
2

You also need to name the file in your layer shield.py so that it's importable in Python. Note it does not matter how the layer itself is named. That's a configuration in the AWS world and has no effect on the Python world.

What does have an effect is the structure of the layer archive. You need to place the files you want to import into a python directory, zip it and use that resulting archive as a layer (I'm pressuming serverless framework is doing this for you).

In the Lambda execution environment, the layer archive gets extracted into /opt, but it's only /opt/python that's declared in the PYTHONPATH. Hence the need for the "wrapper" python directory.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.