Rule: Lambda functions should restrict public access
Ensure Lambda functions restrict public access to enhance security measures.
| Rule | Lambda functions should restrict public access |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Critical |
Rule: Lambda Functions - Restrict Public Access for FedRAMP Low Revision 4
Description:
This rule mandates that Lambda functions within the environment must have public access restricted in order to comply with FedRAMP Low Revision 4 requirements. Public access includes any means of communication that allows unauthorized external entities to invoke or access Lambda functions. This rule ensures that only authorized entities are able to interact with Lambda functions, therefore maintaining the security and integrity of the system.
Troubleshooting Steps:
If Lambda functions are found to have public access enabled, follow these troubleshooting steps to resolve the issue:
- 1.Identify the Lambda functions that have public access enabled.
- 2.Review the configuration and assess the potential impact.
- 3.Analyze the access controls and permissions defined for the Lambda functions.
- 4.Determine if any external entities have unauthorized access to the Lambda functions.
- 5.Confirm if there are any vulnerabilities or weaknesses that could be exploited due to public access.
- 6.Evaluate the risks associated with maintaining public access and mitigating measures already in place, if any.
- 7.Develop a plan of action to restrict public access for the Lambda functions.
Necessary Codes:
In order to implement the necessary changes to restrict public access for Lambda functions, you can follow these steps:
- 1.Open the AWS Management Console or use the AWS CLI.
- 2.Navigate to the AWS Lambda service.
- 3.Identify the Lambda function(s) that need to have public access restricted.
- 4.Modify the Lambda function's configuration.
Step-by-Step Guide for Remediation:
Using AWS Management Console:
- 1.Log in to the AWS Management Console with the appropriate credentials.
- 2.Navigate to the AWS Lambda service.
- 3.Select the Lambda function that needs to have public access restricted.
- 4.In the function's configuration page, scroll down to the "Permissions" section.
- 5.Review the permissions already assigned and identify any public access permissions.
- 6.Click on each permission that allows public access and remove it.
- 7.Save the changes.
Using AWS CLI:
- 1.Install and configure the AWS CLI on your local machine.
- 2.Open a terminal or command prompt.
- 3.Run the following command to list all the Lambda functions in the AWS account:
aws lambda list-functions
- 1.Identify the ARN (Amazon Resource Name) of the Lambda function that needs to have public access restricted.
- 2.Run the following command to modify the function's access permissions, replacing
with the actual ARN:<function_arn>
aws lambda remove-permission --function-name <function_arn> --statement-id <statement_id>
Ensure that you remove the statement ID corresponding to the public access permission. 6. Verify that the changes have been successfully applied.
By following these steps, you will have successfully restricted public access for Lambda functions to comply with the FedRAMP Low Revision 4 policy.