Login

Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Lambda Functions Should Restrict Public Access

Ensure Lambda functions restrict public access to enhance security measures.

RuleLambda functions should restrict public access
FrameworkFederal Financial Institutions Examination Council (FFIEC)
Severity
Critical

Rule Description:

The rule is intended to enforce a security measure for Lambda functions by restricting public access to Federal Financial Institutions Examination Council (FFIEC) resources. This is important to ensure the confidentiality, integrity, and availability of sensitive data related to financial institutions.

Troubleshooting Steps (if applicable):

If there are any issues related to restricting public access for FFIEC Lambda functions, the following troubleshooting steps can be followed:

  2. 1.

    Verify Lambda Function Configuration: Double-check the Lambda function's configuration settings to ensure that public access is appropriately restricted.

  4. 2.

    Check Resource Policies: Examine the resource policies associated with the Lambda function to confirm that they are properly configured to restrict public access.

  6. 3.

    Validate Network Access Controls: Ensure that the Lambda function is placed within the appropriate network environment, such as a Virtual Private Cloud (VPC) with appropriate access control lists (ACLs) and security groups.

  8. 4.

    Review IAM Roles and Permissions: Verify that the IAM roles assigned to the Lambda function do not grant unnecessary public access permissions and are in accordance with the FFIEC requirements.

  10. 5.

    Check VPC Endpoints: If the Lambda function requires access to specific resources within the VPC, validate that VPC endpoints are appropriately configured to allow secure communication with those resources.

  12. 6.

    Lambda Function Testing: Perform test invocations of the Lambda function to verify that it functions correctly even with restricted public access.

Necessary Codes (if applicable):

In order to restrict public access for FFIEC Lambda functions, you can utilize the following code snippets:

Code snippet 1: Restricting Public Access

import json
import boto3

def lambda_handler(event, context):
    # Restrict public access for FFIEC Lambda functions
    client = boto3.client('lambda')
    
    # List all existing functions
    response = client.list_functions()
    functions = response['Functions']
    
    # Loop through each function
    for function in functions:
        # Update function configuration to restrict public access
        response = client.update_function_configuration(
            FunctionName=function['FunctionName'],
            VpcConfig={
                'SecurityGroupIds': [],
                'SubnetIds': []
            }
        )
    
    return {
        'statusCode': 200,
        'body': json.dumps('Public access restricted for FFIEC Lambda functions')
    }

Code snippet 2: Sample IAM Role Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "lambda:InvokeFunction",
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:Referer": "ffiec-approved-referer"
                }
            }
        }
    ]
}

Please note that the code snippets provided are for reference purposes, and you may need to modify them according to your specific requirements.

Step-by-Step Guide for Remediation:

To remediate the issue and comply with the rule/policy of restricting public access for FFIEC Lambda functions, follow the step-by-step guide below:

  2. 1.
    Open the AWS Management Console and navigate to the Lambda service.
  4. 2.
    Identify the Lambda functions that need to comply with the rule. These functions should be associated with FFIEC resources or handle sensitive financial data.
  6. 3.
    For each identified function, click on its name to access its configuration.
  8. 4.
    In the "Configuration" tab, look for the "VPC" section and ensure that it is properly configured.
    • If the Lambda function does not require Internet access, remove any associated security groups and subnets to restrict public access:
      • Click on "Edit" in the "VPC" section.
      • Remove the security group associations under "Security groups".
      • Remove the subnet associations under "Subnets".
      • Click "Save" to apply the changes.
    • If the Lambda function requires access to specific resources within a VPC, validate that the associated security groups and subnets are appropriately configured:
      • Ensure that the security groups allow necessary inbound and outbound traffic.
      • Verify that the subnets have the required connectivity to the FFIEC resources.
      • Save any changes made.
  10. 5.
    Review the IAM roles associated with the Lambda functions and ensure that they do not grant unnecessary public access permissions.
    • Edit the respective IAM roles if required and enforce the necessary restrictions.
  12. 6.
    Validate the Network Access Controls (ACLs and security groups) within the VPC:
    • Ensure that the appropriate network access controls are in place to restrict public access to FFIEC Lambda functions.
  14. 7.
    Perform thorough testing by invoking the Lambda functions to verify that they function correctly after restricting public access.
  16. 8.
    Monitor the Lambda functions and associated logs to ensure that the restricted access does not impact their intended functionality.
  18. 9.
    Regularly review and audit the Lambda functions to maintain compliance with the rule/policy and promptly address any identified issues.

By following the above guide, you will be able to restrict public access for FFIEC Lambda functions, enhancing the security posture of your systems while complying with the policy requirements.

Is your System Free of Underlying Vulnerabilities?
Find Out Now