Profile Applicability:
- Level 1
Description:
AWS Lambda functions operate based on permissions granted to their associated execution roles, which are governed by AWS Identity and Access Management (IAM) policies. To minimize the risk of unauthorized or excessive access, it's essential to ensure that no Lambda function within your AWS account is granted admin privileges, such as AdministratorAccess or equivalent, which could provide broader access to AWS resources.
Rationale:
Lambda functions with admin privileges (e.g., AdministratorAccess or wildcard * permissions) can inadvertently or maliciously perform actions across your entire AWS environment, including the ability to modify, delete, or access sensitive resources. Limiting Lambda functions to the principle of least privilege reduces security risks and ensures compliance with regulatory standards like SOC 2, HIPAA, and others.
Impact:
Pros:
Restricting Lambda functions to least-privilege access reduces the risk of security breaches.
It ensures that Lambda functions can only perform the specific actions required for their functionality.
Improves compliance with data protection regulations and internal security policies.
Cons:
May require regular auditing of IAM roles and permissions.
Potential disruption of Lambda functions if policies are misconfigured, requiring careful management.
Administrative effort is needed to restrict roles and permissions for each Lambda function.
Default Value:
Lambda functions should not have admin privileges by default. However, if policies are misconfigured, functions may inherit broad permissions that include administrative rights.
Pre-requisites:
Access to AWS Management Console or AWS CLI with sufficient permissions to view Lambda functions and IAM roles/policies.
Familiarity with IAM roles and policies associated with Lambda functions.
Regular audits of IAM policies and Lambda functions to ensure compliance with least privilege access.
Remediation:
Test Plan:
Using AWS Console:
Test Lambda Functions After Policy Changes:
Ensure that after modifying the IAM role, the Lambda function performs as expected.
Test that the function does not encounter permission errors related to the changes made in the IAM role.
Using AWS CLI:
Verify Lambda Function Access:
Run the following command to test access and ensure the Lambda function executes with the correct permissions:
aws lambda invoke --function-name <function-name> output.txt
Check for Permission Errors:
Ensure that no permission errors occur that could indicate over-permissive access.
Implementation Plan:
Using AWS Console:
Log into the AWS Management Console and navigate to the Lambda section.
Select the Lambda function and review its execution role.
In the IAM console, inspect the policies attached to the execution role.
If necessary, modify the policy to remove overly permissive permissions such as AdministratorAccess.
Test the function to ensure it still operates correctly with the updated permissions.
Using AWS CLI:
Retrieve the IAM role associated with the Lambda function using:
aws lambda get-function-configuration --function-name <function-name>
Review the policies attached to the IAM role.
If required, update the IAM policy using:
aws iam put-role-policy --role-name <role-name> --policy-name <policy-name> --policy-document file://updated-policy.json
Test the Lambda function after the policy change to ensure it performs as expected.
Backout Plan:
Using AWS Console:
If issues arise after modifying permissions, navigate to the IAM role associated with the Lambda function.
Revert to the original policy configuration or use a backup of the original permissions.
Test the Lambda function to ensure it continues to function properly.
Using AWS CLI:
Revert the IAM policy to its previous state using the following command:
aws iam put-role-policy --role-name <role-name> --policy-name <policy-name> --policy-document file://original-policy.json
Test the Lambda function after rolling back the policy to confirm functionality.