Rule: Lambda functions should restrict public access
Ensure Lambda functions restrict public access to enhance security measures.
| Rule | Lambda functions should restrict public access |
| Framework | HIPAA |
| Severity | ✔ Critical |
Ensuring AWS Lambda Functions Restrict Public Access for HIPAA Compliance
AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers. For organizations that handle protected health information (PHI), such as those subject to the Health Insurance Portability and Accountability Act (HIPAA), it's vital to ensure that Lambda functions are not publicly accessible to prevent unauthorized access to PHI.
Why Restrict Public Access?
HIPAA rules require appropriate safeguards to protect the privacy of personal health information. Unrestricted public access to Lambda functions could expose sensitive health-related information, resulting in violations of HIPAA regulations and causing potential harm to individuals’ privacy.
How to Restrict Public Access
- 1.
Use AWS Identity and Access Management (IAM)
IAM Policies: Attach policies to Lambda execution roles to explicitly define who can invoke your Lambda function.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:region:account-id:function:function-name", "Principal": { "AWS": "arn:aws:iam::account-id:root" } } ] }IAM Roles: Create a role with the necessary permissions for the Lambda function to access other AWS resources securely.
- 2.
Utilize AWS Resource-Based Policies
Resource-based Policies: Attach a resource-based policy to your Lambda function. Resource policies control which AWS accounts or IAM users can invoke the function.
{ "Version": "2012-10-17", "Id": "default", "Statement": [ { "Sid": "RestrictPublicAccess", "Effect": "Deny", "Principal": "*", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:region:account-id:function:function-name", "Condition": { "StringNotEquals": { "aws:PrincipalOrgID": "o-xxxxxxxxxxx" } } } ] }
- 3.
Employ VPC and Security Groups
- Virtual Private Cloud (VPC): Configure your Lambda function to run inside an Amazon VPC to isolate the function in your own virtual network.
- Security Groups: Set up VPC security groups to control inbound and outbound traffic to your Lambda functions.
- 4.
Disable Public and Cross-Account Invocations
Lambda Permissions: Ensure there are no permissions that allow public or cross-account invocations without proper authorization.
aws lambda remove-permission --function-name function-name \ --statement-id sid-to-remove
- 5.
Regularly Review and Audit Permissions
- Audit with AWS Config: Utilize AWS Config to continuously monitor and audit configurations of your AWS resources.
- Amazon CloudTrail: Enable CloudTrail to keep track of all API calls for your Lambda function, including invocations and policy changes.
Step by Step Guide for Remediation
- 1.
Check Lambda Permissions
- Review the Lambda function's policies and ensure that no statement allows unrestricted access.
- 2.
Configure IAM Properly
- Ensure only trusted entities have the
permission.lambda:InvokeFunction
- 3.
Utilize a VPC
- Configure your Lambda to run within a VPC that is set up with strict security group rules.
- 4.
Use AWS Config Rules
- Set up AWS Config rules to automatically check the attached policies of Lambda functions.
- 5.
Monitor with Amazon CloudTrail
- Check CloudTrail logs regularly for any unauthorized access or changes to the Lambda function or its policies.
- 6.
Remove Unnecessary Permissions
- Identify and remove any permissions that are not in compliance with the least privilege principle.
- 7.
Repeat Audits Periodically
- Regularly perform security audits of your Lambda functions to ensure they remain compliant over time.
By implementing these controls and regularly reviewing them, you can ensure that your AWS Lambda functions conform to HIPAA requirements and protect against unauthorized disclosure of PHI. Maintaining compliance is an ongoing process and these steps help establish a solid foundation for a secure serverless environment.