Deployment Integrations
On-premise Integrations
Platform Integrations

Security Tab

The Security tab illustrates interactions between your Lambda function and external resources. In addition to this architectural view of your function, you can configure some security settings using the Security tab.

Users that have been designated with the Account Owner, Admin, or Developer role can configure security settings in this tab.

Security configurations are enabled for accounts that have CloudWatch integration. If you don't integrate CloudWatch to Thundra, you can get detailed information about integrating CloudWatch here.

Security configuration allows users to manage access to your Lambda function to external resources. You can set up your security configurations in two different ways:

  • Allowlist Resources

  • Blocklist Resources

Security Button

Click on the “Security” button located at the right-hand corner of the screen to configure your settings. After setting your configurations, you can edit or delete them using this button.

Security Configuration Options

Allowlist

Allowlist Configuration

You can allowlist resources that your function can access, in order to restrict your Lambda function from reaching other resources you don’t wish it to access. While configuring allowlist for your Lambda function, resources and their operations displayed on your architecture are automatically added to the allowlist. If you want to add other resources separate from the architecture, click on the “Add Resources” button and fill in the required fields.

Blocklist

Blacklist Configurations

You can blocklist resources in order to prevent your Lambda function from accessing specific resources. Blocklisting a resource means that when your Lambda function tries to access that resource, this operation will violate your security configuration.

Add Allowlist/Blocklist Resources

Add new Allowlisted Resource
Add new Blocklisted Resource

Click on the “Configure your Security Settings” button and select a configuration option (allowlist/blocklist). Add the new item to your security configuration and fill in the following fields:

  • Resource Type - Select a resource type to allowlist/blocklist.

  • Resource Name - Enter the resource name(s) that you want to allowlist/blocklist. When you hit enter, it will be added to the list. In addition to this, you can add all resource names that belong to the selected resource type by selecting ALL(*).

  • Operation - Select an operation to be allowlisted/blocklisted for the selected resources. You can allowlist/blocklist all operations for a resource by selecting ALL(*).

Security Actions

After selecting resources to be allowlisted or blocklisted, you need to set an action that defines what will happen when an event occurs that violates your configuration.

  • Allow and Notify Me: Operations that violate your security settings will be executed normally, but you will receive a notification for this event.

  • Block and Notify Me: Operations that violate your security settings will be blocked and not executed. This option can corrupt your function's execution.

When a security configuration is set, an alert policy is created by default. It is checked every minute. For configurations that allow and notify action, alerts are throttled for 5 minutes. You can edit your alert policy name on the alerts page. These alert policies will notify you by email when your configuration has been violated.

If you want to use the security configuration for functions that don't have AWS integration or for containers and VMs, you can download the security parameters to your computer as base64 and assess the value to the environment variable called thundra_agent_lambda_trace_span_listenerConfig.

Edit/Delete a Security Configuration

When you want to edit a security configuration, hover your mouse over the lock icon on the Security tab and click on the “Edit” button. If any violation occurred in your current security configuration, the lock icon will be displayed as red.

If you selected the allowlist option and "Allow and Notify Me" action, and any violation occurred in that configuration, new resources will be displayed highlighted with the "New" tag. You can click “Save” to add them to the allowlist.

To change from allowlist to blocklist configuration or vice versa, you need to delete a configuration and add a new list. Hover your mouse over the Security icon on the Security tab, and click the trash icon to delete the configuration.

Architecture View

When any violation occurs for a security configuration in a time range, it will be displayed on the architecture view of the Security tab.

Allowed Resource

If the Allow and Notify Me action is selected and a violation occurs for a resource, there will be a yellow block icon on the resource icon.

Blocked Resource

If the Block and Notify Me action is selected and a violation occurs for a resource, there will be a red block icon on the resource icon.