Profile Applicability:

Level 2

Description:

AWS Config provides a detailed inventory of AWS resources and records configuration changes. For Lambda functions and serverless applications, enabling AWS Config allows you to track changes to the configurations of your Lambda functions, monitor compliance, and help in auditing and security. AWS Config can capture configuration history and relationships between AWS resources, giving insights into the state of your serverless resources.

Rationale:

By enabling AWS Config for Lambda and serverless applications, you gain visibility into the configuration and compliance of your resources. This allows you to monitor changes, detect configuration drift, and assess the security and compliance status of Lambda functions. Enabling AWS Config is a key best practice for governance, risk management, and compliance, especially in serverless environments.

Impact:

Pros:

  • Improved Monitoring and Visibility: AWS Config provides a historical record of your Lambda configurations and enables compliance tracking.

  • Compliance: AWS Config can help in maintaining compliance with internal and external regulations by tracking configuration changes and comparing them to desired configurations.

  • Audit and Security: It helps identify unauthorized changes and simplifies auditing for Lambda functions and serverless applications.

Cons:

  • Configuration Complexity: Setting up AWS Config for Lambda and serverless applications requires proper configuration and permissions.

  • Costs: AWS Config incurs additional costs based on the number of configuration items and the recording frequency.

Default Value:

By default, AWS Config is not enabled for Lambda or serverless applications. It must be manually configured to track these resources.

Pre-requisites:

  • IAM permissions to enable AWS Config and manage Lambda and serverless configurations.

  • Access to AWS Lambda and AWS Config services.

  • A configured AWS Config Recorder in the region where your Lambda functions are deployed.

Remediation:

Test Plan:

Using the AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to AWS Config under the Management & Governance section.

  3. If AWS Config is not enabled, click on Get Started to begin the configuration.

  4. In the setup process, ensure that Lambda functions are selected as one of the resources to be recorded.

  5. Set up Configuration Recorder and Delivery Channel for AWS Config to record changes to your Lambda resources.

  6. Under the Recording Settings, ensure that Lambda is selected for continuous recording.

  7. Click Save to apply the configuration.

  8. Once AWS Config is set up, verify by going to AWS Config Dashboard and checking the list of recorded Lambda functions and their configurations.

Using AWS CLI:

  1. First, ensure that AWS Config is enabled and check if the configuration recorder is active by running: 

    aws configservice describe-configuration-recorders

  2. To enable AWS Config and record Lambda resources, run: 

    aws configservice put-configuration-recorder --configuration-recorder name="default",roleARN="arn:aws:iam::<account-id>:role/AWS_ConfigRole",recordingGroup={allSupported=true,includeGlobalResourceTypes=true}

  3. After the configuration recorder is active, create or modify the delivery channel to send data to an S3 bucket or Amazon SNS: 

    aws configservice put-delivery-channel --delivery-channel name="default",s3BucketName="<bucket-name>"


  4. Verify that AWS Config is recording Lambda functions: 

    aws configservice describe-configuration-items --resource-type "AWS::Lambda::Function"

  5. Check that the Lambda configurations are recorded and visible.

Implementation Plan

Using the AWS Console:

  1. Log in to the AWS Management Console.

  2. Navigate to AWS Config and select Get Started.

  3. Follow the prompts to enable AWS Config and configure the Configuration Recorder to include Lambda functions.

  4. Set the Delivery Channel to an S3 bucket or Amazon SNS for notifications.

  5. Save and verify that AWS Config is correctly recording Lambda configurations and related resources.

Using AWS CLI:

  1. Enable the AWS Config Recorder to capture Lambda function configurations: 

    aws configservice put-configuration-recorder --configuration-recorder name="default",roleARN="arn:aws:iam::<account-id>:role/AWS_ConfigRole",recordingGroup={allSupported=true,includeGlobalResourceTypes=true}

  2. Set the Delivery Channel to send configuration data to an S3 bucket: 

    aws configservice put-delivery-channel --delivery-channel name="default",s3BucketName="<bucket-name>"

  3. Verify that AWS Config is recording Lambda function changes: 

    aws configservice describe-configuration-items --resource-type "AWS::Lambda::Function"

Backout Plan:

Using the AWS Console:

  1. If there are issues with the AWS Config configuration, navigate to the AWS Config Console.

  2. Disable the configuration recorder by selecting Stop Recording.

  3. If necessary, modify the settings for AWS Config or remove the delivery channel.

  4. Verify that AWS Config is no longer recording Lambda resources.

Using AWS CLI:

  1. To stop the configuration recorder, run: 

    aws configservice stop-configuration-recorder --configuration-recorder-name default

  2. To delete the delivery channel, run:

     aws configservice delete-delivery-channel --delivery-channel-name default

  3. Verify that AWS Config is no longer recording Lambda resources:

     aws configservice describe-configuration-recorders

References:

CIS Controls:

Version

Control ID

Control Description

v8

3.1

Ensure that AWS Config is enabled for Lambda functions to monitor and track configuration changes and compliance status.

v7

5.5

Use AWS Config to ensure that Lambda configurations are continuously recorded and compliant with your security policies.