Rule: Lambda functions should restrict public access
Ensure Lambda functions restrict public access to enhance security measures.
| Rule | Lambda functions should restrict public access |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Critical |
Rule Description:
Lambda functions should have public access restricted to comply with NIST 800-53 Revision 5 security standards. The rule aims to prevent unauthorized access and potential security breaches by restricting access to Lambda functions.
Troubleshooting Steps:
If your Lambda functions allow public access, follow the steps below to troubleshoot and rectify the issue:
- 1.
Identify the affected Lambda function(s): Review your Lambda function configurations to determine which functions have public access enabled.
- 2.
Analyze access configurations: Determine if public access has been granted through various configurations, such as allowing access from any IP address (0.0.0.0/0) or using an open access policy.
- 3.
Review associated resources: Check if any associated resources (such as API Gateway, S3 buckets, or IAM roles) have open access configurations that could lead to public access to Lambda functions.
- 4.
Evaluate IAM permissions: Ensure that the IAM policies attached to your Lambda function(s) have appropriate restrictions to prevent public access. Review the permissions granted to different IAM roles associated with Lambda functions.
- 5.
Review VPC configuration: If your Lambda functions are associated with Virtual Private Cloud (VPC) configurations, ensure that the network settings restrict public access appropriately. Review security groups and network ACLs associated with the Lambda functions.
- 6.
Test function accessibility: Verify that the Lambda functions cannot be accessed publicly by testing access attempts from unauthorized sources.
Code Example:
To restrict public access to Lambda functions, you can modify the function's access configuration using the AWS Command Line Interface (CLI). Below is an example of a CLI command to update the function's access policy:
aws lambda update-function-configuration --function-name <function_name> --vpc-config <vpc_config>
Replace
<function_name><vpc_config>Remediation Steps:
Follow the steps below to remediate the issue and restrict public access to your Lambda functions:
- 1.
Identify the Lambda functions: Determine which Lambda functions have public access enabled.
- 2.
Update the access configuration: Use the AWS CLI or AWS Management Console to update the function's access configuration. Set the appropriate VPC settings, security groups, subnets, or access restrictions to prevent public access.
- 3.
Update IAM policies: Review and modify the IAM policies associated with your Lambda functions to ensure they restrict access appropriately. Remove any unnecessary or overly permissive policies.
- 4.
Test accessibility: Validate that the Lambda functions can no longer be accessed publicly by attempting access from unauthorized sources.
- 5.
Monitor and maintain: Regularly monitor your Lambda functions and associated resources to ensure ongoing compliance with the NIST 800-53 Revision 5 security standards. Implement automated checks to prevent accidental changes that could reintroduce public access.
Remember, maintaining restricted public access to Lambda functions is crucial for safeguarding your AWS infrastructure and complying with the NIST 800-53 Revision 5 security guidelines.