Profile Applicability:

  • Level 1                      

Description:

Amazon GuardDuty Lambda Protection provides threat detection for AWS Lambda functions by monitoring function invocations and scanning for malicious activity. When enabled, GuardDuty analyzes Lambda execution logs to detect threats such as:

  • Execution of malicious code.

  • Unauthorized API calls.

  • Unusual behavior in function invocations.

Enabling GuardDuty Lambda Protection enhances the visibility and security of serverless applications.

Rationale:

Lambda functions can be targeted by attackers to execute malicious code or exploit misconfigurations. GuardDuty Lambda Protection helps detect:

  • Privilege escalation attempts.

  • Data exfiltration.

  • Malware and unauthorized activity within Lambda functions.

This proactive monitoring helps maintain the integrity and security of serverless workloads.

Impact

  • Pros:

    • Detects malicious activity in Lambda functions.

    • Enhances visibility into serverless workloads.

    • Integrates with existing GuardDuty findings and alerts.

  • Cons:

    • Additional cost associated with Lambda Protection in GuardDuty.

    • Slight performance overhead due to monitoring.

Default Value:

  • GuardDuty Lambda Protection is disabled by default and must be manually enabled.

Pre-Requisite:

  • AWS IAM permissions:

    • guardduty:UpdateDetector

    • guardduty:GetDetector

    • guardduty: ListDetectors

    • guardduty:CreateDetector

  • Amazon GuardDuty must be enabled in the AWS account.

Remediation:

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon GuardDuty.

         

  1. In the left navigation pane, select Detectors.

  2. Choose the active Detector for your AWS region.

         

  1. Go to Lambda Protection settings.

           

  1. Check the status of Lambda Protection:

    • Pass: If the status is Enabled.

    • Fail: If the status is Disabled.

                 

Using AWS CLI:

List GuardDuty Detectors:

aws guardduty list-detectors --region <region>
  1.        Note the Detector ID from the output.

Check Lambda Protection Status:

aws guardduty get-detector --detector-id <detector-id> --region <region> --query 'DataSources.Lambda.FunctionLogs.Status'

Example output:
"ENABLED"

  • Pass: If the status is ENABLED.

  • Fail: If the status is DISABLED.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon GuardDuty.

               

  1. Select Detectors → Choose the Detector ID for your region.

             

  1. In the left menu, select Lambda Protection.

                     

  1. Enable Lambda Protection:

    • Toggle the switch to Enable.

    • Confirm enabling Lambda Protection.

                          

  1. Save Changes.

Using AWS CLI:

List Detectors:

aws guardduty list-detectors --region <region>

Enable Lambda Protection:

aws guardduty update-detector \

  --detector-id <detector-id> \

  --enable-lambda-logs \

  --region <region>

Verify the Status:

aws guardduty get-detector --detector-id <detector-id> --region <region> --query 'DataSources.Lambda.FunctionLogs.Status'

The expected output:
"ENABLED"


Backout Plan:

If enabling Lambda Protection causes unexpected costs or operational issues, it can be disabled:

  1. Go to Amazon GuardDuty in the AWS Console.

  2. Navigate to Detectors → Lambda Protection.

  3. Toggle Lambda Protection to Disabled.

  4. Save Changes.

References:

  1. Amazon GuardDuty Documentation

  2. GuardDuty Lambda Protection

  3. AWS CLI GuardDuty Commands