Custom Bash Runtime for Lambda Container

ACM.305 Using AWS base images for a container that runs a custom Lambda runtime

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Lambda | Container Security | Application Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post, I explained what Lambda custom runtimes are and why you might need one. I took a look at a tutorial AWS provided and how we might need to alter it to run in a container.

In this post, I’m going to try to greatly simplify the container we’ve been testing. I’m going to reduce the attack surface and pull the base image from the AWS provided images. We can remove a lot of extraneous libraries.

Let’s do it!

AWS provided base container images for Lambda custom runtimes

First of all I’m going to change the image from using Alpine Linux to an AWS provided image. The reasons for this include:

• Pull the image from a vendor supported ECR registry.
• Hopefully the AWS supported images will work well with Lambda.

You can find a list of the AWS provided images here:

The documentation says to use the al2 version for custom runtimes, and it includes the AWS Runtime Interface Emulator so we don’t have to add it in via a call over the Internet to GitHub.

We can search for al2-arm and there’s one available image.

However searching for al2.2023 we can find a newer version using Amazon Linux version 2023. This newer version is supposed to have some security benefits so let’s try that.

Simplifying the Dockerfile

Now the Dockerfile becomes a lot simpler, because we don’t have to build a runtime or pull down the runtime interface emulator. I’ve changed the “app” directory to “function” which makes more sense to me.

Bash runtime code

I’m going to copy the bash runtime client code into the entry.sh file with a few changes. I hardcoded the handler file for now to avoid any confusion. What that code was trying to do was to calculate the handler based on some values set somewhere. I just want to make sure the correct code runs here.

Function code

I created the file /function/handler.sh and copied the function code from the tutorial in the last post into that file.

Build the docker image

Now this is odd. When I tried to pull the AWS image it said my token was expired. I had to run this command to clear the token. I don’t recall pulling an AWS image.

docker logout public.ecr.aws

After doing that my build script worked.

./build.sh

Push the container to ECR

I pushed the container up to ECR as I showed in prior posts with my generic push script.

./push.sh

Test the Lambda function

We can’t test the Lambda function locally because I have not added code to trigger the Lambda Runtime Interface Emulator. I have to test the Lambda function after it’s been deployed to AWS.

Recall that we already deployed a Lambda function with CloudFormation that uses this container in ECR.

We can simply upload the new container, deploy the image, and retest.

I tested that Lambda function as explained in this post:

Well this never happens. It worked on the first try. You can see in my function code above that it prints out “Echoing request” and then prints the values passed into the function.

I’m using the default test values:

There you go!

Well, we have some more work to do with this function but that’s pretty cool. We should be able to add the code to clone the GitHub repository I demonstrated in a prior post and it should work, pending proper network configuration.

I’m curious if I can make it work with the Lambda Runtime Interface Emulator. Additionally, we’re missing some error handling among other things. But I think we can use this function to run bash scripts. Woot!

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2024

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity for Executives in the Age of Cloud
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Appication Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presenation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Medium: Teri Radichel
❤️ Sign Up For Email
❤️ Twitter: @teriradichel
❤️ Mastodon: @[email protected]
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab