Rule: Lambda functions should restrict public access
A critical rule requiring Lambda functions to limit public access for enhanced security.
| Rule | Lambda functions should restrict public access |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Critical |
Lambda Functions Access Restriction for FedRAMP Low Revision 4
Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This includes specific controls and policies for cloud-based services to maintain data integrity and security.
In the context of AWS Lambda, restricting public access is crucial for complying with FedRAMP Low Revision 4 requirements. Lambda functions should be configured to prevent unrestricted public access to ensure that only authorized entities can invoke them. Public access can lead to unauthorized data exposure, potential data breaches, and non-compliance with federal regulations.
Rule Overview
Lambda functions must be deployed with appropriate access permissions that align with the least privilege principle. For FedRAMP Low Revision 4 compliance, the following configurations should be observed:
- Lambda function's resource-based policy should not allow wildcard permissions (e.g.,
).Principal: "*" - Access should be restricted to specific services or accounts.
- Use of AWS Identity and Access Management (IAM) roles and policies to grant permissions to invoke the function.
- Enable AWS CloudTrail logs for all Lambda invocation requests for monitoring and auditing.
Troubleshooting Steps
If a Lambda function is publicly accessible and not compliant with FedRAMP Low Revision 4, follow these troubleshooting steps:
- 1.Review the Lambda function's resource-based policy.
- 2.Verify the permissions and identify any statements that grant public or wide access.
- 3.Modify the permissions to restrict access.
- 4.Validate changes by testing the Lambda function invocation with unauthorized accounts or services.
- 5.Check CloudTrail logs for unauthorized access attempts.
Remediation Commands
To restrict public access to a Lambda function, use the AWS Command Line Interface (CLI). Here's a step-by-step guide:
- 1.
Retrieve the current Lambda function policy:
aws lambda get-policy --function-name YourLambdaFunctionName - 2.
If a wildcard principal is detected, remove the statement by creating a new policy without the wildcard principal:
aws lambda remove-permission --function-name YourLambdaFunctionName --statement-id StatementIdWithWildcardPrincipal - 3.
Create an IAM role with the necessary permissions and assign it to the Lambda function.
a. Create a trust policy for the IAM role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }b. Use the CLI to create the IAM role:
aws iam create-role --role-name LambdaExecutionRole --assume-role-policy-document file://trust-policy.jsonc. Attach the necessary permissions to the IAM role:
aws iam attach-role-policy --role-name LambdaExecutionRole --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole - 4.
Update the Lambda function to use the new IAM role:
aws lambda update-function-configuration --function-name YourLambdaFunctionName --role arn:aws:iam::YourAccountID:role/LambdaExecutionRoleEnsure you replace
,YourLambdaFunctionName
,StatementIdWithWildcardPrincipal
, and other placeholders with the appropriate values for your specific situation.YourAccountID - 5.
Enable CloudTrail logs:
aws cloudtrail create-trail --name LambdaInvocationTrail --s3-bucket-name YourS3BucketForLogs aws cloudtrail start-logging --name LambdaInvocationTrail - 6.
Set up CloudTrail log file validation:
aws cloudtrail update-trail --name LambdaInvocationTrail --enable-log-file-validation
Adhering to these procedures will help ensure your Lambda functions are compliant with FedRAMP Low Revision 4, subsequently enhancing your organization's cloud security posture. Remember to replace---actual names and account details as necessary.