Profile Applicability:

  • Level 1

Description:

For security and best practice, each AWS Lambda function should have its own IAM role that grants only the necessary permissions required for the function to perform its task. Using a dedicated IAM role for each Lambda function ensures that permissions are isolated and limits the blast radius in case of security breaches or misconfigurations.

Rationale:

Using a unique IAM role for each Lambda function allows you to strictly adhere to the principle of least privilege. This means each function gets only the permissions it needs to operate, reducing the risk of accidental access to sensitive resources and ensuring better control over security policies. It also provides more flexibility in defining granular permissions for each function, making your AWS environment more secure and easier to audit.

Impact:

Pros:

  • Improved Security: Each Lambda function has a dedicated IAM role, minimizing the risk of over-permissioned roles.

  • Granular Control: Allows you to specify more precise permissions for each Lambda function based on its specific requirements.

  • Compliance: Helps meet compliance requirements that require fine-grained access controls and isolation of duties.

Cons:

  • Management Overhead: Managing a unique IAM role for each Lambda function can increase complexity, especially if there are many Lambda functions.

  • Permission Configuration: Requires careful planning to ensure the correct permissions are granted to each role without being too broad.

Default Value:

By default, AWS Lambda functions may share a single IAM role. Each function should have its own IAM role configured to ensure better security and adherence to best practices.

Pre-requisites:

  • IAM permissions to create and manage IAM roles and policies.

  • Access to AWS Lambda and IAM services.

  • Well-defined access requirements for each Lambda function.

Remediation:

Test Plan:

Using the AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to AWS Lambda and select the Lambda function you want to configure.

  3. Under the Configuration tab, go to the Execution role section.

  4. Check if the Lambda function is using a shared IAM role or a dedicated role.

    • If the function is using a shared IAM role, create a new role specifically for the function.

    • To create a new role, navigate to IAM > Roles > Create role, and assign permissions based on the function's specific needs.

  5. Assign the newly created IAM role to the Lambda function under the Execution role section.

  6. Save the changes and verify that the Lambda function operates as expected with its dedicated IAM role.

Using AWS CLI:

  1. List the Lambda functions to identify the one you want to configure: 

    aws lambda list-functions

  2. Retrieve the current execution role of the Lambda function: 

    aws lambda get-function-configuration --function-name <function-name>


  3. If the Lambda function is using a shared IAM role, create a new IAM role for it: 

    aws iam create-role --role-name <new-role-name> --assume-role-policy-document file://trust-policy.json

  4. Attach the necessary permissions to the new role. For example, if the Lambda function needs access to S3: 

    aws iam attach-role-policy --role-name <new-role-name> --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

  5. Update the Lambda function to use the new role:

     aws lambda update-function-configuration --function-name <function-name> --role arn:aws:iam::<account-id>:role/<new-role-name>

  6. Verify the change by retrieving the Lambda function configuration: 

    aws lambda get-function-configuration --function-name <function-name>

Implementation Plan:

Using the AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to AWS Lambda and select the Lambda function to be configured.

  3. In the Configuration tab, check the Execution role.

  4. If the function is using a shared IAM role, create a new IAM role specifically for the function:

    • Go to IAM > Roles > Create Role.

    • Select the required permissions for the Lambda function.

  5. Assign the newly created role to the Lambda function.

  6. Save the changes and verify that the Lambda function is now using a dedicated IAM role.

Using AWS CLI:

  1. Create a new IAM role for the Lambda function: 

    aws iam create-role --role-name <new-role-name> --assume-role-policy-document file://trust-policy.json

  2. Attach the appropriate permissions to the IAM role:

     aws iam attach-role-policy --role-name <new-role-name> --policy-arn arn:aws:iam::aws:policy/<policy-name>

  3. Update the Lambda function to use the newly created IAM role:

     aws lambda update-function-configuration --function-name <function-name> --role arn:aws:iam::<account-id>:role/<new-role-name>

  4. Verify the configuration by checking the Lambda function's details: 

    aws lambda get-function-configuration --function-name <function-name>


Backout Plan:

Using the AWS Console:

  1. If issues arise after configuring a unique IAM role, navigate to AWS Lambda and select the function.

  2. Under Configuration > Execution role, revert to the shared IAM role (if necessary).

  3. Verify that the Lambda function still works with the reverted IAM role.

Using AWS CLI:

  1. To revert to the shared IAM role, run: 

    aws lambda update-function-configuration --function-name <function-name> --role arn:aws:iam::<account-id>:role/<shared-role-name>

  2. Verify that the Lambda function now uses the shared IAM role: 

    aws lambda get-function-configuration --function-name <function-name>

References:

CIS Controls:

Version

Control ID

Control Description

v8

16.3

Ensure that every Lambda function has a unique IAM role, restricting its permissions to only the required resources and actions.

v7

14.1

Ensure that Lambda functions are assigned IAM roles with the least privileges, using separate roles for each function to reduce security risks.