Serverless Security

Secure serverless functions across the full application lifecycle.
Serverless Security Hero Front Image
Serverless Security Hero Back Image

Serverless functions are event driven code snippets running on completely managed infrastructure. This allows developers to focus purely on the code. However, these applications are still vulnerable to attacks and require purpose-built security.

Learn more about best practices for securing functions on AWS Lambda.

Serverless applications deserve serverless security

Prisma® Cloud is purpose-built to deliver full lifecycle serverless security for AWS Lambda, Azure Functions and Google Cloud Functions. Identify vulnerabilities and compliance violations during development, and protect running functions from nefarious activities as well as web application and API attacks.
  • Support for serverless across AWS, Azure and Google Cloud
  • Integrated security as part of the full application lifecycle
  • Visibility and protection across serverless environments
  • Vulnerability management
    Vulnerability management
  • Compliance
  • CI/CD and repository scanning
    CI/CD and repository scanning
  • Runtime visibility
    Runtime visibility
  • Runtime defense
    Runtime defense


Our approach to Serverless Security

Vulnerability management

Securing functions begins with understanding and controlling the vulnerabilities in packages being deployed and running. Prisma Cloud scans and continuously monitors functions for vulnerabilities. Start with integrated CI tooling and serverless repositories, and continue through runtime for a full lifecycle view.

  • Prioritize top vulnerabilities across functions

    Identify the highest priority vulnerabilities based on risk score and exposure across functions as well as Lambda Layers in your repository and runtime.

  • Leverage remediation guidance to patch quickly

    Vulnerabilities identified include package information and fix guidance.

  • Block functions that fail risk level

    Leverage CI integrations and runtime protections to fail builds and prevent deployments of functions with vulnerabilities that don’t meet your risk levels.

  • Continuously assess the posture of your repositories

    Get an up-to-date overview of the vulnerabilities in your functions as Prisma Cloud continuously scans repositories against our vulnerability database.

Vulnerability management

Function compliance

Serverless applications may not provide access to their underlying infrastructure, but there are still misconfigurations that can expose a function to attacks. Prisma Cloud identifies misconfigurations, including private keys stored in function zips or broad resource access, prior to and after deployment.

  • Reduce the attack surface

    Identify and remediate overly permissive and unused permissions and APIs to minimize ways for attackers to take advantage of functions.

  • Prevent misconfigured functions from deployment

    Scan serverless applications for misconfigurations in continuous integration builds and repositories to block misconfigured functions.

  • Refine the checks in place

    Enforce individual or group-based control over which compliance violations create an alert and which are blocked.

  • Identify compliance violations in production

    Aggregate and view all compliance violations across running functions in your environment.

Function compliance

CI/CD and repository scanning

Identifying security concerns as early as possible decreases the friction to get them addressed. Developers are notified about vulnerabilities and misconfigurations in their DevOps tooling, with remediation guidance, to harden and secure their functions.

  • Integrate with popular tooling

    Take advantage of vulnerability and compliance scanning through integrations with CI tools and for Git repositories.

  • Provide feedback and guardrails

    Set thresholds for alerting and blocking builds and deployments of functions with high-severity vulnerabilities and misconfigurations.

  • View posture and trends of built and stored functions

    Gain a comprehensive look at all builds over time, with risk prioritization based on risk scores and actual exposure.

  • Support for leading public cloud repositories

    Continuously monitor functions stored in repositories on AWS®, Azure® and Google Cloud.

CI/CD and repository scanning

Runtime visibility

Functions are event-driven and only start when triggered. Prisma Cloud identifies and automatically secures functions running in your cloud environments.

  • Visualize function triggers and permissions

    View related triggers and service permissions, such as API Gateways, CloudWatch and S3 buckets.

  • Automatically detect and protect serverless functions

    Automatically deploy an embedded agent as a function layer from the console or API.

  • View up-to-date vulnerability and compliance exposure

    Continuously scan active functions to surface risk-ranked vulnerabilities and misconfigurations.

Runtime visibility

Runtime defense

Serverless functions range from single-purpose to full web applications and are highly ephemeral. Prisma Cloud protects these environments with runtime protection and web application and API security from an embedded agent.

  • Monitor and trace anomalous events

    Easily harden your function runtime perimeter to alert or block on anomalous and known-bad events.

  • Customize allow and block lists

    Create allow and block lists for processes, networking and file system behavior based on Prisma defaults or function-specific settings.

  • Get serverless Web Application and API Security

    Use the same agent that identifies runtime events to protect against web application and API attacks.

  • Centralize security controls across application types

    Gain a unified platform to secure serverless functions and container-based applications, simplifying the security of diverse environments.

Runtime defense
Prisma Cloud
Prisma Cloud
Prisma® Cloud is the industry’s most complete Cloud Native Application Protection Platform (CNAPP), with the industry’s broadest security and compliance coverage—for infrastructure, workloads, and applications, across the entire cloud native technology stack—throughout the development lifecycle and across hybrid and multicloud environments.

Cloud Workload Protection modules


Secure virtual machines (VMs) on any public or private cloud.


Secure Kubernetes and other container platforms on any public or private cloud.


Secure serverless functions across the full application lifecycle.


Protect against Layer 7 and OWASP Top 10 threats in any public or private cloud.

Featured Resources

Get more insight into what Prisma Cloud can do for your business