Rule: Lambda functions should restrict public access
Ensure Lambda functions restrict public access to enhance security measures.
| Rule | Lambda functions should restrict public access |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Critical |
AWS Lambda Function Access Restriction for CISA Cyber Essentials
Rule Overview:
Lambda functions are a key component of serverless architecture in AWS, allowing users to run code without provisioning or managing servers. Ensuring the security of these functions is critical. According to CISA's Cyber Essentials, one of the core strategic principles for securing internet accessibility is to limit the exposure of key cybersecurity services to public access. Adhering to this principle, Lambda functions should be configured to restrict public access unless explicitly required, to mitigate the risk of unauthorized access and potential security breaches.
Troubleshooting Steps:
If a Lambda function is inadvertently exposed to the public, follow these steps to troubleshoot and remediate:
- 1.
Identify Publicly Accessible Lambda Functions: Use AWS IAM policy conditions to review resource-based policies attached to your Lambda functions.
- 2.
Review IAM Roles and Execution Policies: Ensure that the IAM role and execution policy associated with your Lambda function restrict access appropriately.
- 3.
Check Associated API Gateway permissions: If your Lambda function is triggered via API Gateway, ensure that the API Gateway resource policy does not allow unrestricted access.
Remediation Steps:
Step 1: Review and Modify Permissions
- 1.
Review the Lambda function's resource-based policy: Use the AWS Management Console or AWS CLI to check the policy attached to the Lambda function.
CLI Command:
aws lambda get-policy --function-name FunctionName - 2.
Remove any statements granting public or wide access:
This can be achieved by revising the policy to remove any wildcard principals (
) or overly permissive actions.Principal: "*"
Step 2: Update Execution Role Policies
- 1.
Review the IAM execution role associated with the Lambda function.
CLI Command:
aws iam get-role-policy --role-name YourLambdaExecutionRole --policy-name YourPolicyName - 2.
Revise the policy to ensure it grants only the necessary permissions for your Lambda function to interact with other AWS services.
Step 3: Modify API Gateway Settings
- 1.
If an API Gateway is used, examine the resource policy set on the API level.
CLI Command:
aws apigateway get-rest-api --rest-api-id your-api-id - 2.
Revise the Resource Policy to restrict access appropriately.
You can update the resource policy to limit access to specified IP ranges or incorporate AWS WAF to implement access controls.
Step 4: Enable AWS WAF Protection
- 1.
Attach AWS WAF WebACL to the API Gateway. This helps in defining rules that restrict access based on IP addresses, HTTP headers, body, etc.
CLI Example:
aws wafv2 associate-web-acl --web-acl-arn your-webacl-arn --resource-arn your-apigateway-arn
Optional: Automate Remediation with AWS Config
Use AWS Config to automatically detect and remediate publicly accessible Lambda functions. AWS Config allows you to create rules that will trigger remediation actions using AWS Lambda when a non-compliant resource is detected.
Ensure to test all changes in a staging environment before applying them to production, to validate that nothing breaks due to the modified permissions.
Note: Compliance with CISA Cyber Essentials and securing Lambda functions mandates regular review and auditing of your AWS resources. Consider leveraging services such as AWS CloudTrail for monitoring and AWS Config for compliance checks.
Implementing these preventive and reactive measures can safeguard your AWS Lambda functions from unnecessary public exposure, enhancing the overall security posture as prescribed by the CISA Cyber Essentials.