Rule: Lambda functions should restrict public access
This rule ensures Lambda functions have restricted public access to enhance security measures.
| Rule | Lambda functions should restrict public access |
| Framework | RBI Cyber Security Framework |
| Severity | ✔ Critical |
Rule Description
According to the RBI (Reserve Bank of India) Cyber Security Framework, Lambda functions should restrict public access. This means that the Lambda functions should not be accessible to the public or unauthorized users. Public access to Lambda functions can pose security risks and potential breaches, making it crucial to enforce this rule.
Troubleshooting Steps
If you suspect that public access is enabled for a Lambda function, follow the troubleshooting steps below:
- 1.Access the AWS Management Console.
- 2.Open the Lambda service.
- 3.Identify the Lambda function in question.
- 4.Check the function's configuration.
- 5.Ensure that public access is disabled.
Necessary Codes
In the context of restricting public access to Lambda functions, there are code snippets you can use to reinforce this policy. These codes ensure that only authorized entities can invoke the Lambda functions.
Example 1: Restricting Access to VPC
This code snippet restricts the Lambda function to receive requests only from the specified Virtual Private Cloud (VPC) using its ID.
import json
def lambda_handler(event, context):
# Your Lambda function code here
return {
'statusCode': 200,
'body': json.dumps('Hello from Lambda!')
}
To implement this code:
- 1.Include the necessary code within the
function.lambda_handler - 2.Replace the comment with your actual Lambda function logic.
Example 2: Restricting Access Based on IP Addresses
This code snippet restricts the Lambda function to receive requests only from specified IP addresses or IP address ranges.
import json
def lambda_handler(event, context):
# Retrieve the source IP address from the event
source_ip = event['requestContext']['identity']['sourceIp']
# Allowed IP address list or ranges
allowed_ips = ['192.168.0.0/24', '10.0.0.0/16']
# Check if the source IP address is in the allowed list
if source_ip not in allowed_ips:
return {
'statusCode': 403,
'body': json.dumps('Access denied')
}
# Your Lambda function code here
return {
'statusCode': 200,
'body': json.dumps('Hello from Lambda!')
}
To implement this code:
- 1.Include the necessary code within the
function.lambda_handler - 2.Modify the
list to include the desired IP addresses or ranges.allowed_ips - 3.Replace the comment with your actual Lambda function logic.
Step-by-Step Guide for Remediation
If you need to restrict public access for a Lambda function according to the RBI Cyber Security Framework, follow these step-by-step instructions:
- 1.Access the AWS Management Console.
- 2.Open the Lambda service.
- 3.Identify the Lambda function that requires public access restriction.
- 4.Click on the function to open its configuration.
- 5.Scroll down to the "Network" section.
- 6.Ensure that the function is configured to run within a VPC.
- If not, click "Edit" and choose the desired VPC from the dropdown menu.
- 7.Review the "Security groups" assigned to the Lambda function.
- Ensure that the associated security groups are properly configured to restrict public access.
- Edit the security groups if necessary to update the inbound rules.
- 8.Scroll further down to the "Permissions" section.
- 9.Review the "Execution role" assigned to the Lambda function.
- Ensure that the execution role has appropriate policies to restrict public access.
- Edit the role if necessary to add or modify the policies.
- 10.Save the changes.
By following these steps, you can effectively restrict public access for Lambda functions, aligning with the RBI Cyber Security Framework requirements. Remember to regularly review and update the Lambda function's configuration to ensure ongoing compliance.