Cloud Defense Logo

Products

Solutions

Company

Rule: Lambda functions should restrict public access

Guideline ensuring Lambda functions restrict public access for security

RuleLambda functions should restrict public access
FrameworkNIST 800-171 Revision 2
Severity
Critical

Rule Description:

Lambda functions should restrict public access for NIST 800-171 Revision 2.

This rule is designed to enforce the security requirement outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171 Revision 2. According to this requirement, Lambda functions should have restricted public access to prevent unauthorized access and enhance the overall security posture of the system.

Troubleshooting Steps:

If the Lambda function is found to have public access enabled, it poses a security risk as anyone can invoke or access the function without proper authorization. To troubleshoot and address this issue, the following steps can be taken:

  1. 1.

    Identify the publicly accessible Lambda functions: Utilize the AWS Management Console, AWS CLI, or AWS SDKs to identify the Lambda functions that have public access enabled.

  2. 2.

    Verify the access settings: Review the access settings for each identified Lambda function to confirm if public access is enabled. Check for any configuration or permission mismatches that might have enabled public access unintentionally.

  3. 3.

    Investigate the usage and functionality: Determine the purpose of each Lambda function and its expected usage. Identify any potential security implications or vulnerabilities associated with public access.

  4. 4.

    Assess the impact: Evaluate the potential impact of restricting public access on the existing system. Consider any dependencies, integrations, or applications that rely on the Lambda function and analyze the potential consequences of closing public access.

Remediation:

To remediate the Lambda functions with public access for compliance with NIST 800-171 Revision 2, follow the steps outlined below:

  1. 1.

    Identify affected Lambda functions: Use the AWS Management Console, AWS CLI, or AWS SDKs that are suitable for your environment to identify the Lambda functions that have public access enabled.

  2. 2.

    Update the function's access configuration: For each Lambda function with public access, modify the access configuration to restrict public access. There are multiple approaches to achieve this based on your requirements:

    a. VPC Configuration: If the Lambda function requires network connectivity, configure it to run within a Virtual Private Cloud (VPC). Ensure that the associated subnets, security groups, and network access control lists are appropriately configured to restrict access.

    b. Function-level Security: Implement function-level access controls using AWS Identity and Access Management (IAM) to restrict invocation permissions. Only authorized roles or users should have the necessary permissions to invoke the function.

    c. API Gateway Integration: If the Lambda function is integrated with an API Gateway, ensure that the API Gateway is properly configured to handle authentication, authorization, and rate limiting. This helps to prevent unauthorized direct access to the function.

  3. 3.

    Testing and Validation: After implementing the necessary changes to restrict public access, thoroughly test the Lambda functions to ensure their functionality remains intact. Validate that the desired level of access restrictions is in place and unauthorized access attempts are properly denied.

  4. 4.

    Ongoing Monitoring and Maintenance: Regularly monitor the access settings for Lambda functions and review the logs to identify any unexpected access attempts or misconfigurations. Establish a process to promptly address any new or emerging security issues.

Conclusion:

By adhering to the NIST 800-171 Revision 2 requirement of restricting public access to Lambda functions, you enhance the security of your system and comply with industry best practices. Following the troubleshooting steps and remediation guidelines will help ensure the proper implementation and ongoing maintenance of this security measure.

Is your System Free of Underlying Vulnerabilities?
Find Out Now