Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Lambda Functions Should Restrict Public Access

This rule ensures that Lambda functions do not have public access, reducing security risks.

RuleLambda functions should restrict public access
FrameworkHIPAA
Severity
Critical

Rule Description:

Lambda functions in the AWS environment should have restricted public access to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA). This policy aims to protect the confidentiality, integrity, and availability of sensitive health-related information stored and processed within Lambda functions.

Troubleshooting Steps (if applicable):

  1. 1.
    Identify the AWS account and region where Lambda functions need to be configured for HIPAA compliance.
  2. 2.
    Verify which Lambda functions currently have public access by checking their associated Security Groups, VPC configurations, and network access controls.
  3. 3.
    Review the access policies and permissions for each Lambda function to ensure they align with HIPAA requirements.
  4. 4.
    Identify any potential misconfigurations or gaps in security controls that might allow unauthorized public access.

Necessary Codes (if applicable):

  1. 1.
    Code snippet to restrict public access for Lambda functions within VPC:
import boto3

def lambda_handler(event, context):
    # Retrieve the current configuration of the Lambda function
    client = boto3.client('lambda')
    function_name = context.function_name
    response = client.get_function_configuration(FunctionName=function_name)
    
    # Modify the function's VPC configuration to restrict public access
    response['VpcConfig']['SecurityGroupIds'] = ['sg-XXXXXXXX']
    response['VpcConfig']['SubnetIds'] = ['subnet-XXXXXXXX']
    
    # Update the Lambda function's configuration
    response = client.update_function_configuration(
        FunctionName=function_name,
        VpcConfig=response['VpcConfig']
    )
    
    return {
        'statusCode': 200,
        'body': 'Lambda function public access has been restricted.'
    }
  1. 1.
    Code snippet to remove public access for Lambda functions outside VPC:
import boto3

def lambda_handler(event, context):
    # Retrieve the current configuration of the Lambda function
    client = boto3.client('lambda')
    function_name = context.function_name
    response = client.get_function_configuration(FunctionName=function_name)
    
    # Remove the function's VPC configuration to disable public access
    response['VpcConfig'] = {}
    
    # Update the Lambda function's configuration
    response = client.update_function_configuration(
        FunctionName=function_name,
        VpcConfig=response['VpcConfig']
    )
    
    return {
        'statusCode': 200,
        'body': 'Lambda function public access has been removed.'
    }

Step-by-Step Guide for Remediation:

  1. 1.
    Identify the AWS account and region where Lambda functions need to be reviewed for HIPAA compliance.
  2. 2.
    Access the AWS Management Console and navigate to the Lambda service.
  3. 3.
    Review each Lambda function listed and note down any functions that have public access.
  4. 4.
    For Lambda functions within a VPC (Virtual Private Cloud):
    • Select the function that needs to have public access restricted and note down its Security Group ID and Subnet ID.
    • Open the AWS EC2 service and navigate to the "Security Groups" section.
    • Search and select the Security Group associated with the Lambda function.
    • Modify the Security Group's inbound rules to allow access only from authorized sources (e.g., specific IP ranges or other secure resources).
    • Navigate to the "Subnets" section and search for the Subnet associated with the Lambda function.
    • Ensure the Subnet has appropriate network access controls and is not publicly accessible.
  5. 5.
    For Lambda functions without a VPC configuration:
    • Select the function that needs to have public access removed.
    • Click on the "Configuration" tab and scroll down to the "VPC" section.
    • Click on "Edit" next to "VPC" to modify the configuration.
    • Remove the existing VPC settings to disable public access.
    • Save the changes to update the Lambda function's configuration.
  6. 6.
    Repeat steps 4 and 5 for all Lambda functions with public access.
  7. 7.
    Monitor the Lambda functions regularly to ensure public access restrictions are maintained and no new misconfigurations occur.

Note: Consult with your organization's security and compliance teams to ensure the specific requirements of HIPAA compliance are met, as policies may vary depending on the context and regulations applicable to your organization.

Is your System Free of Underlying Vulnerabilities?
Find Out Now