You have the option of establishing cross-account access to enable Snyk's AWS Lambda integration as a 1-click deployment. This options is available as an official AWS Quick Start and eliminates the need for manual configuration.
You will need your Snyk Organization ID and AWS IAM role ARN to complete the integration. The role ARN will be provided for you in the AWS CloudFormation Console's Output tab.
Configure the integration with these two parts:
Enable permissions from your AWS account
Configure the integration from your Snyk account
You must be the owner or an administrator of the Snyk account you’re integrating.
How it works
The user creates a policy-based role, called a Role ARN, in the format arn:aws:iam:::role/. The role enables read-only access to the user’s Lambda services. The user configures Snyk for integration with AWS Lambda using the credentials for the role they created.
The user requests to import functions to Snyk (for testing and monitoring).
Snyk evaluates the selected functions and imports them.
Snyk communicates directly with Lambda for each test it runs to determine exactly what code is currently deployed and what dependencies are being used. Each dependency is tested against Snyk’s vulnerability database to see if it contains any known vulnerabilities.
Based on your configurations, if vulnerabilities are found, Snyk notifies you via email or Slack so that you can take immediate action to fix.
Supported repos and languages
Snyk currently supports integration with AWS Lambda for Node, Ruby and Java projects.
Configure your integration with Snyk
Allow a few minutes for AWS to update the role on their servers.
From AWS, copy the Role ARN key that appears at the top of the Summary section (inside the Role area still; in the format arn:aws:iam:::role/). Save this value to paste in Snyk soon.
Navigate to Integrations from the menu bar at the top, find and click the AWS Lambda option:
The AWSLambda configuration page in the Settings area loads, with the External ID value automatically populated for you based on the Snyk organization that you’re configuring.
Paste the Role ARN that you saved on the side into the ARN field.
Click Save. Snyk tests the connection values and the page reloads, now displaying AWS Lambda integration details as you entered them. A confirmation message that the details were saved also appears in green at the top of the screen.
In addition, if the connection to AWS failed, notification appears under the Connected to AWS Lambda section accordingly.
Enable permissions to access AWS Lambda for the first time by creating a new read-only policy-based role from the AWS Identity and Access Management (IAM) console and updating the policy directly from the associated JSON file as necessary.
The role delegates read-only access to all of your Lamda resources by Snyk per organization.
This section generally describes how to navigate the AWS IAM Console for these purposes. For more assistance, see the AWS documentation.
From your Snyk account, navigate to the organization you’d like to integrate with, go to Settings and when the General Settings load for the group, scroll down and copy your Organization ID. Save this for use later in this process.
Now, click here to log in to the AWS Management Console, navigate to the Policies page, and create a new policy for the role by updating the related JSON file only, as follows: 1. From the Policies area of the AWS Management Console, create a new policy. 2. Navigate to the JSON tab. 3. Select and delete all of the default text in the JSON file. 4. Copy the following script and paste it inside the JSON file:
Click Review policy.
Name the policy SnykReadOnlyForLambda.
Skip any other steps, finish the wizard and create the policy. The policy is now available in the list of your existing policies.