[{"data":1,"prerenderedAt":60},["ShallowReactive",2],{"pattern-lambda-microvm-dta-terraform":3},{"id":4,"title":5,"architectureURL":6,"cleanup":7,"contributors":10,"deploy":12,"description":15,"extension":16,"framework":17,"gitHub":18,"highlight":6,"introBox":24,"language":30,"level":31,"meta":32,"patternArch":33,"resources":47,"s3URL":6,"services":6,"stem":55,"testing":56,"videoId":6,"__hash__":59},"patterns\u002Fpatterns\u002Flambda-microvm-dta-terraform.json","CI\u002FCD dynamic threat analysis in AWS Lambda MicroVMs",null,{"text":8},[9],"Terminate any running MicroVM with \u003Ccode>microvm-dta ... terminate\u003C\u002Fcode> (the orchestrator also does this in a finally block), then run \u003Ccode>terraform destroy\u003C\u002Fcode>.",[11],"content\u002Fcontributors\u002Fryota-yamada.json",{"text":13},[14],"terraform init && terraform apply","Run an untrusted artifact inside an isolated Lambda MicroVM and observe its behavior from outside the process to produce a deterministic CI verdict.","json","Terraform",{"template":19},{"repoURL":20,"templateURL":21,"projectFolder":22,"templateFile":23},"https:\u002F\u002Fgithub.com\u002Faws-samples\u002Fserverless-patterns\u002Ftree\u002Fmain\u002Flambda-microvm-dta-terraform","serverless-patterns\u002Flambda-microvm-dta-terraform","lambda-microvm-dta-terraform","main.tf",{"headline":25,"text":26},"How it works",[27,28,29],"This pattern demonstrates a dynamic-threat-analysis (DTA) style CI\u002FCD gate built on AWS Lambda MicroVMs. A MicroVM image carries a small sandbox supervisor. For each analysis the orchestrator runs a fresh MicroVM, the supervisor launches an untrusted target as a child process (argv only, never a shell), and a set of collectors observe the target entirely from the outside: the process tree via \u002Fproc, a before\u002Fafter filesystem diff, fake canary files and environment variables, syscalls via strace, and network connections via \u002Fproc\u002Fnet.","The target never reports on its own behavior. A simple, explainable rule engine turns the observed events into a deterministic verdict (clean, suspicious, policy_violation, unknown, or error) and a machine-readable report, and CI passes or fails on policy. The MicroVM is always terminated, even when the job fails.","The Terraform deploys the least-privilege Amazon IAM build and execution roles plus an artifact Amazon S3 bucket that the orchestrator uses to build the MicroVM image and run the analysis (the same configuration that was applied and destroyed against GA Lambda MicroVMs during testing). The default scenarios are benign and canary-based, so the sample is safe to run in a dedicated sandbox account.","Python","300",{},{"icon1":34,"icon2":39,"line1":43},{"x":35,"y":36,"service":37,"label":38},30,50,"s3","Amazon S3",{"x":40,"y":36,"service":41,"label":42},70,"lambda-microvms","Lambda MicroVM",{"from":44,"to":45,"label":46},"icon1","icon2","Image Artifacts",{"bullets":48},[49,52],{"text":50,"link":51},"AWS Lambda MicroVMs documentation","https:\u002F\u002Fdocs.aws.amazon.com\u002Flambda\u002Flatest\u002Fdg\u002Flambda-microvms-guide.html",{"text":53,"link":54},"Run a MicroVM, create an auth token, and call the endpoint","https:\u002F\u002Fdocs.aws.amazon.com\u002Flambda\u002Flatest\u002Fmicrovm-api\u002FAPI_RunMicrovm.html","patterns\u002Flambda-microvm-dta-terraform",{"text":57},[58],"See the GitHub repo for detailed testing instructions.","yehlfpNHLR61A_ljcX-eGZYdVIOcjL_WsDCK8fmwfUA",1783506926030]