iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Implementing the principle of least privilege is essential for securing AWS Lambda functions. This means granting Lambda functions only the permissions they need to perform their tasks, minimizing exposure to unnecessary actions or resources. By using IAM roles and policies effectively, you can ensure that Lambda functions operate within the smallest scope of permissions necessary to achieve their purpose.

Rationale:

Using least privilege ensures that Lambda functions do not have more access than required, reducing the attack surface and preventing malicious or accidental misuse of permissions. By strictly controlling what each Lambda function can do, you ensure better security and adherence to the principle of least privilege.

Impact:

Pros:

• Reduced Attack Surface: Limiting permissions prevents Lambda functions from accessing resources they don't need.
  

• Enhanced Security: By only granting essential permissions, you minimize the risk of unauthorized access to sensitive resources.
  

• Compliance: Ensures compliance with security best practices, such as those recommended in NIST, PCI DSS, and HIPAA.
  

Cons:

• Configuration Complexity: Fine-grained permission management requires careful configuration and regular reviews to ensure that permissions remain aligned with the Lambda function's needs.
  

• Potential Overhead: There may be additional overhead in managing and reviewing IAM roles and policies for each Lambda function.
  

Default Value:

By default, Lambda functions may be assigned broad IAM roles with excessive permissions. You must configure IAM roles and policies to grant the least privilege necessary.

Pre-requisites:

• IAM permissions to modify Lambda function configurations and IAM roles.
  

• Access to AWS Lambda and IAM services.
  

• Defined access requirements for Lambda functions based on their intended use.
  

Remediation

Test Plan:

Using the AWS Console:

1. Log in to the AWS Management Console.
   

2. Navigate to Lambda and select the Lambda function you want to configure.
   

3. Under the Configuration tab, scroll down to Execution role and review the assigned IAM role.
   

4. Ensure that the IAM role assigned to the Lambda function grants only the necessary permissions.
   

   • For example, if the Lambda function interacts with S3, the role should only have permissions to the specific S3 bucket(s) and actions (e.g., s3:GetObject).
     

5. Modify the IAM role if necessary to restrict permissions:
   

   • Go to IAM > Roles > Select the role associated with the Lambda function.
     

   • Edit the role's permissions and remove any unnecessary permissions.
     

6. Save the changes and verify that the Lambda function still operates correctly with the restricted permissions.
   

Using AWS CLI:

1. Identify the Lambda function and its associated IAM role: 
   

   aws lambda get-function-configuration --function-name <function-name>

2. List the IAM role associated with the Lambda function: 
   

   aws iam get-role --role-name <role-name>

3. Review the role's policies by running: 
   

   aws iam list-attached-role-policies --role-name <role-name>

4. If the role has excessive permissions, update the policy to follow the least privilege principle. For example, to update the permissions for an S3-related Lambda function:  
   

   aws iam put-role-policy --role-name <role-name> --policy-name <policy-name> --policy-document file://policy.json

5. Verify the updated IAM role by listing the attached policies again: 
   

   aws iam list-attached-role-policies --role-name <role-name>

Implementation Plan:

Using the AWS Console:

1. Log in to the AWS Management Console.
   

2. Navigate to Lambda and select the function for which you want to configure least privilege.
   

3. Under Configuration, select the Execution role assigned to the Lambda function.
   

4. Review the IAM role and ensure that the permissions align with the Lambda function’s purpose.
   

   • For instance, if the Lambda function only reads from a specific S3 bucket, ensure the role has only s3:GetObject permissions for that bucket.
     
     

5. If needed, update the IAM role by modifying or attaching policies that limit the permissions to what is strictly necessary.
   

6. Save the changes and test the Lambda function to verify that it operates correctly with the restricted permissions.
   

Using AWS CLI:

1. Get the configuration of the Lambda function to identify the associated IAM role: 
   

   aws lambda get-function-configuration --function-name <function-name>

2. List the policies attached to the IAM role: 
   

   aws iam list-attached-role-policies --role-name <role-name>

3. Review the attached policies and ensure they follow the least privilege principle. If necessary, update or remove unnecessary policies:
   

    aws iam put-role-policy --role-name <role-name> --policy-name <policy-name> --policy-document file://policy.json

4. Test the Lambda function to ensure it performs its tasks with the restricted permissions.
   

Backout Plan:

Using the AWS Console:

1. If the Lambda function fails due to insufficient permissions, return to the IAM role and add back any necessary permissions that were mistakenly removed.
   

2. Ensure that you are only granting permissions that are absolutely necessary for the Lambda function to work.
   

3. Save the changes and re-test the Lambda function.
   

Using AWS CLI:

1. If issues arise, revert the IAM role by adding back any missing permissions: 

   aws iam put-role-policy --role-name <role-name> --policy-name <policy-name> --policy-document file://original-policy.json

   
   

2. Verify that the Lambda function is operating correctly after the permissions have been restored.
   

References:

• AWS Lambda Execution Role Documentation
  

• AWS IAM Role Policies Documentation
  

• AWS CLI IAM Commands
  

• AWS CLI Lambda Commands
  

CIS Controls: