Description:
Lambda functions should restrict public access to ensure compliance with FedRAMP Moderate Revision 4. Public access to Lambda functions can pose security risks and potential data breaches. This rule ensures that only authorized and authenticated entities have access to Lambda functions, maintaining data confidentiality and integrity.
Troubleshooting Steps:
- 1.
Check the IAM policies: Verify the permissions and policies associated with the Lambda function and ensure that there are no open permissions or unnecessary access grants.
- 2.
Review VPC settings: If the Lambda function is integrated with a VPC, inspect the VPC configuration to ensure that it is properly secured and isolated from the public internet.
- 3.
Validate network configurations: Double-check the network configurations, such as subnets and security groups, to ensure that they adhere to the principle of least privilege and do not allow public connectivity.
- 4.
Evaluate triggers: If the Lambda function is triggered by an event source, validate the security configuration of the event source to prevent unauthorized access.
Code:
To restrict public access to your Lambda functions, you can add a resource-based policy to deny public access or use a VPC configuration. Here are the code examples for both scenarios:
Resource-Based Policy to Deny Public Access:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyPublicAccess",
"Effect": "Deny",
"Principal": "*",
"Action": [
"lambda:InvokeFunction"
],
"Resource": "arn:aws:lambda:<region>:<account-id>:function:<function-name>"
}
]
}
Replace
<region>
,
<account-id>
, and
<function-name>
with your specific AWS region, AWS account ID, and Lambda function name. This policy denies all entities, including the public, from invoking the Lambda function.
VPC Configuration:
To restrict public access to your Lambda function by leveraging a VPC configuration, follow these steps:
- 1.
Ensure that you have created a VPC and configured appropriate subnets.
- 2.
Create a security group that contains the necessary inbound and outbound rules required for your Lambda function.
- 3.
Specify the VPC and security group settings in your Lambda function configuration.
- 4.
Configure private subnets for your Lambda function to ensure that traffic flows through the VPC rather than public networks.
Step by Step Guide for Remediation:
- 1.
Open the AWS Management Console and navigate to the Lambda service.
- 2.
Select the Lambda function that needs to restrict public access.
- 3.
Click on the "Permissions" tab.
- 4.
Review the existing IAM roles and policies associated with the Lambda function and ensure they align with your intended access controls.
- 5.
If you are using a resource-based policy, click on the "Add inline policy" button.
- 6.
Copy and paste the provided resource-based policy code into the policy editor.
- 7.
Modify the policy by replacing the placeholders with the appropriate values (region, account ID, and function name).
- 8.
- 9.
If you are using VPC configuration, go to the "Configuration" tab of the Lambda function.
- 10.
Under the "VPC" section, select the desired VPC from the dropdown menu.
- 11.
Choose the appropriate subnets and security groups that provide the necessary access for your Lambda function.
- 12.
Save the configuration changes.
- 13.
Verify that the Lambda function no longer allows public access by performing tests or accessing it from unauthorized entities.
- 14.
If necessary, make adjustments and repeat the remediation steps until public access is fully restricted.
By following these steps, you can ensure that Lambda functions are restricted from public access, aligning with the security requirements of FedRAMP Moderate Revision 4.