Lambda Functions Prohibit Public Access Rule
Details about the critical rule ensuring Lambda functions restrict public access.
| Rule | Lambda functions should prohibit public access |
| Framework | PCI v3.2.1 |
| Severity | ✔ Critical |
Lambda Functions Public Access Prohibition for PCI v3
Description
This rule aims to enforce the prohibition of public access to Lambda functions in order to maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS) version 3.
Lambda functions serve as serverless compute resources within AWS, allowing you to run your code without provisioning or managing servers. To ensure the security of PCI data, it is essential to prevent unauthorized access to Lambda functions by configuring them to be private and inaccessible from the public internet.
Troubleshooting Steps
If public access to a Lambda function is detected, follow these troubleshooting steps:
- 1.Identify the affected Lambda function(s).
- 2.Verify if any resource or policy is allowing public access to the Lambda function(s).
- 3.Review the security groups associated with the Lambda function, ensuring that inbound rules do not allow access from the public internet.
- 4.Check if there are any associated API Gateway endpoints or other AWS resources that may expose the Lambda function publicly.
- 5.Review the function's execution policy and associated IAM roles to ensure that only authorized entities can invoke it.
Necessary Code
Implementing this rule may involve modifying the existing Lambda function configuration. Below is an example code snippet that demonstrates how to configure a Lambda function to prohibit public access:
import boto3
def lambda_handler(event, context):
lambda_client = boto3.client('lambda')
# Specify the function name and remove public access permissions
function_name = 'your-lambda-function-name'
lambda_client.update_function_configuration(
FunctionName=function_name,
VpcConfig={
'SecurityGroupIds': ['sg-xxxxxxxx'],
'SubnetIds': ['subnet-xxxxxxxx']
}
)
The above code snippet sets the Lambda function's VPC configuration, associating it with specific security groups and subnets. This restricts the function's accessibility to within your private network, eliminating any public access.
Step-by-Step Guide for Remediation
Follow these steps to remediate the issue of public access to Lambda functions:
- 1.Identify the affected Lambda function(s) within your environment.
- 2.Review the function's configuration and associated components.
- 3.Ensure that the Lambda function configuration does not include any public-facing settings or permissions.
- 4.Implement the necessary VPC configuration to restrict access to the function. Refer to the code snippet provided earlier for an example.
- 5.Test the configuration to validate that the Lambda function is no longer publicly accessible.
- 6.Monitor and regularly review the access permissions and configurations of your Lambda functions to maintain compliance with PCI DSS.
By following these steps diligently, you can ensure that your Lambda functions are properly secured and adhere to PCI DSS version 3 requirements.