Rule: Lambda functions should restrict public access
This rule ensures Lambda functions have restricted public access.
| Rule | Lambda functions should restrict public access |
| Framework | NIST 800-53 Revision 5 |
| Severity | ✔ Critical |
Rule Description
Lambda functions should restrict public access to comply with the NIST 800-53 Revision 5 standard. This rule ensures that Lambda functions are not accessible by the general public, thereby minimizing the risk of unauthorized access and data breaches.
Troubleshooting Steps
If you encounter issues with public access to Lambda functions, follow these troubleshooting steps:
- 1.Check Lambda Function Configuration: Review the configuration settings of the Lambda function to ensure that public access is restricted.
- 2.Check Function Permissions: Verify the IAM permissions and roles assigned to the Lambda function to ensure that public access is denied.
- 3.Verify Execution Role: Ensure that the execution role assigned to the function does not have any policies allowing public access.
- 4.Review Network Configuration: Review the VPC and subnets associated with the Lambda function to ensure that it is not publicly accessible.
- 5.Check Security Group Rules: Validate the security group rules associated with the Lambda function to ensure that inbound access from the internet is restricted.
Necessary Code
The following code snippet can be used to restrict public access to Lambda functions:
Resources:
MyLambdaFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: MyFunction
Role: !Ref MyLambdaExecutionRole
Code:
S3Bucket: my-lambda-bucket
S3Key: lambda-function.zip
Handler: index.handler
Runtime: nodejs12.x
VpcConfig:
SecurityGroupIds:
- sg-xxxxxxxx
SubnetIds:
- subnet-xxxxxxxx
- subnet-xxxxxxxx
In the above code, the Lambda function is associated with a VPC configuration, which restricts public access by connecting to the specified security groups and subnets.
Remediation Steps
To remediate public access to Lambda functions and comply with NIST 800-53 Revision 5, follow these steps:
- 1.Identify Lambda Functions: Identify the Lambda functions that require public access restriction.
- 2.Review Function Configuration: Review the configuration settings of each Lambda function to identify any existing public access.
- 3.Associate Lambda Functions with VPC: If not already done, associate the Lambda functions with a Virtual Private Cloud (VPC) to restrict public access.
- 4.Create VPC Security Group: Create a security group in the VPC that will control the inbound and outbound traffic for the Lambda functions.
- 5.Add Security Group Rules: Configure the security group rules to only allow necessary inbound connections (e.g., from specific IP ranges or internal services). Deny all inbound access from the internet.
- 6.Associate Subnets: Associate the desired subnets within the VPC to the Lambda functions to limit network access to within the VPC.
- 7.Update Function Configuration: Update the Lambda function configuration to include the VPC configuration (as shown in the necessary code snippet above).
- 8.Test Function Access: Test the Lambda functions to ensure they are no longer publicly accessible and verify that they still function as expected.
- 9.Periodic Review: Regularly review and audit Lambda functions to ensure ongoing compliance with the public access restriction policy.
By following the above steps, you can effectively restrict public access to Lambda functions, aligning with the NIST 800-53 Revision 5 standard.