Rule: Lambda Functions Should Restrict Public Access
Ensure Lambda functions restrict public access to enhance security measures.
| Rule | Lambda functions should restrict public access |
| Framework | FedRAMP Low Revision 4 |
| Severity | ✔ Critical |
Rule Description
This rule enforces that Lambda functions within an AWS environment should have restricted public access as per the FedRAMP Low Revision 4 requirements. The goal is to prevent unauthorized access to sensitive information or resources hosted within Lambda functions.
Policy Details
To adhere to the FedRAMP Low Revision 4 guidelines, Lambda functions should not be publicly accessible from the internet. Public access increases the risk of unauthorized access, potential data breaches, and compromises overall security. Restricting public access ensures that only authorized internal resources or entities can interact with Lambda functions.
Troubleshooting Steps
If Lambda functions are publicly accessible, perform the following steps to troubleshoot and rectify the issue:
- 1.Identify publicly accessible Lambda functions: Use the AWS Management Console, CLI, or SDKs to identify Lambda functions that have public access enabled.
- 2.Verify the permissions and security settings: Ensure that the publicly accessible Lambda functions are not intentionally configured that way. Check and compare settings with the desired configuration.
- 3.Review IAM policies: Analyze the IAM policies attached to the Lambda functions and ensure they don't allow public access or contain any overly permissive permissions.
- 4.Inspect associated resources: Examine any associated resources, such as API Gateway or ALB (Application Load Balancer), to see if they are correctly configured to restrict public access.
- 5.Enable VPC access: If the Lambda function requires access only within a Virtual Private Cloud (VPC), confirm that it is correctly configured to operate within the VPC and restrict access from external networks.
Implementation Guide
Follow these steps to ensure that Lambda functions within your AWS environment adhere to the policy of restricting public access for FedRAMP Low Revision 4:
- 1.Identify publicly accessible Lambda functions: Use the AWS Management Console to identify all Lambda functions. Alternatively, use the AWS CLI command:
aws lambda list-functions
- 1.Review function settings: For each Lambda function listed, access the function's settings to verify whether it allows public access. Ensure that the 'Manage Permission' settings under 'Function overview' do not allow public access.
- 2.Update function access options: If public access is enabled, modify the function's configuration:
- Click on the Lambda function name to access its detail page.
- Under the 'Configuration' tab, navigate to the 'Designer' section.
- Remove any triggers or event sources that allow public access, such as API Gateway or ALB.
- Verify that the 'VPC' configuration is appropriately set up to restrict access from the public internet.
- Save the changes.
Considerations
- When modifying Lambda functions to restrict public access, ensure that necessary access controls or trigger configurations are correctly implemented to avoid disrupting the intended functionality.
- Regularly review and monitor the Lambda functions to detect any unintentional changes that may reintroduce public access.
- As best practice, limit permissions and only grant necessary IAM roles to both Lambda functions and associated resources.
- Maintain proper documentation of the Lambda functions' access restrictions to aid auditing and compliance efforts.