Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Lambda functions should restrict public access

This rule emphasizes the importance of restricting public access for Lambda functions.

RuleLambda functions should restrict public access
FrameworkGxP 21 CFR Part 11
Severity
Critical

Rule Description:

The rule requires Lambda functions to restrict public access for GxP (Good Practice) 21 CFR (Code of Federal Regulations) Part 11 compliance. This ensures that Lambda functions that handle sensitive data or perform critical operations adhere to the security requirements outlined in the GxP 21 CFR Part 11 guidelines.

Rule Policy:

Lambda functions must have the necessary configurations to prevent public access and enforce GxP 21 CFR Part 11 compliance. Any publicly accessible Lambda functions should be restricted to reduce the risk of unauthorized access or data breaches.

Troubleshooting Steps:

  1. 1.

    Identify publicly accessible Lambda functions:

    • Use the AWS Management Console or AWS CLI to list all Lambda functions in your account.
    • Look for functions that have open permissions or are configured to allow public access.
  2. 2.

    Review function permissions:

    • Analyze the permissions and access controls applied to each Lambda function.
    • Ensure that there are no policies allowing unrestricted public access.
  3. 3.

    Update function policies:

    • For any publicly accessible functions, modify their function policies to restrict access.
    • Adjust the resource-based policies or IAM (Identity and Access Management) policies to enforce GxP 21 CFR Part 11 compliance.

Code Snippets:

  1. 1.
    AWS CLI - Listing Lambda functions:
aws lambda list-functions --region <region-name>
  1. 1.
    AWS CLI - Viewing function policies:
aws lambda get-policy --function-name <function-name> --region <region-name>
  1. 1.
    AWS CLI - Updating function policies:
aws lambda add-permission --function-name <function-name> --region <region-name> \
--statement-id <unique-id> --action lambda:InvokeFunction --principal <account-id> \
--source-arn arn:aws:execute-api:<region-name>:<account-id>:<api-gateway-id>/*/POST/<path>

Remediation Steps:

  1. 1.

    Identify publicly accessible Lambda functions:

    • Run the AWS CLI command
      aws lambda list-functions
      to obtain a list of all Lambda functions in your account.
  2. 2.

    Review function permissions:

    • Use the AWS CLI command
      aws lambda get-policy --function-name <function-name>
      for each Lambda function to view their current policies.
    • Analyze the policies to identify any open permissions or public access configurations.
  3. 3.

    Update function policies:

    • For each publicly accessible function, use the AWS CLI command
      aws lambda add-permission
      to update the function's policy.
    • Replace
      <function-name>
      with the name of the Lambda function you want to modify, and
      <region-name>
      with the appropriate AWS region.
    • Specify a unique
      <unique-id>
      for the statement ID.
    • Adjust the
      --principal
      and
      --source-arn
      parameters based on your specific requirements.
    • Repeat this step for all publicly accessible Lambda functions.
  4. 4.

    Verify changes:

    • Run the AWS CLI command
      aws lambda get-policy --function-name <function-name>
      to confirm that the policy has been updated successfully.
    • Ensure that the functions no longer allow public access.

Final Notes:

Adhering to the GxP 21 CFR Part 11 guidelines by restricting public access for Lambda functions helps maintain the security and compliance of sensitive data and critical operations. Regularly reviewing and updating function policies is necessary to mitigate the risk of unauthorized access and potential data breaches.

Is your System Free of Underlying Vulnerabilities?
Find Out Now