Rule: Lambda functions should restrict public access
Brief overview of the rule regarding lambda functions' public access restriction.
| Rule | Lambda functions should restrict public access |
| Framework | CISA-cyber-essentials |
| Severity | ✔ Critical |
Rule Description:
This rule is designed to enforce the restriction of public access to Lambda functions that are part of the CISA Cyber Essentials framework. Lambda functions are used to run serverless applications and by restricting public access, it helps to ensure the security and integrity of the applications and data that the Lambda functions interact with.
Troubleshooting Steps:
If you encounter issues with public access to Lambda functions in the CISA Cyber Essentials framework, follow these troubleshooting steps:
- 1.
Review Lambda Function Configuration: Verify that the Lambda function has been configured properly to restrict public access. Check the function's "Permissions" section to ensure that it only allows authorized access.
- 2.
Check Security Group Rules: Ensure that the security groups associated with the Lambda function allow access from trusted sources only. Investigate if any unintended open network access configurations exist.
- 3.
Review VPC Configuration: If the Lambda function is associated with a Virtual Private Cloud (VPC), ensure that the VPC's security group rules and network ACLs are correctly configured. Confirm that the function does not have undesired internet access.
- 4.
Verify IAM Policies: Inspect the IAM (Identity and Access Management) policies associated with the Lambda function. Ensure that the policies restrict access to authorized entities only.
- 5.
Check Application Dependencies: If the Lambda function interacts with other resources such as databases or APIs, inspect their configurations for any public access vulnerabilities. Adjust the configurations to restrict public access if necessary.
- 6.
Review Function Invoke Settings: Ensure that the Lambda function is not configured to allow public invoke permissions. Verify that only authorized entities can invoke the function.
- 7.
Review CloudTrail Logs: If available, review the CloudTrail logs to identify any unauthorized access attempts or configuration changes that may have led to public access.
- 8.
Contact Support: If you are unable to resolve the issue or need further assistance, contact the support team or consult AWS documentation for Lambda functions.
Necessary Codes:
In most cases, the necessary remediation codes depend on the specific configuration or policies applied to the Lambda function. However, here are some common examples:
- 1.Restricting Access to VPC:
To restrict access to a VPC, execute the following AWS CLI command:
aws lambda update-function-configuration --function-name <lambda-function-name> --vpc-config SubnetIds=<comma-separated-subnet-ids>,SecurityGroupIds=<comma-separated-security-group-ids>
Replace
<lambda-function-name><comma-separated-subnet-ids><comma-separated-security-group-ids>- 1.Updating IAM Policies:
To update the IAM policies associated with the Lambda function, use the AWS CLI command:
aws lambda update-function-configuration --function-name <lambda-function-name> --role <new-iam-role-arn>
Replace
<lambda-function-name><new-iam-role-arn>Please note that the specific commands may vary depending on your AWS CLI configuration and the unique attributes of your Lambda function.
Step-by-Step Remediation Guide:
Follow these steps to restrict public access to Lambda functions in the CISA Cyber Essentials framework:
- 1.
Identify the Lambda Functions: Determine which Lambda functions are part of the CISA Cyber Essentials framework and require public access restriction.
- 2.
Review Function Configuration: Inspect the configuration of each Lambda function and verify if it allows public access. Look for any settings that allow public invocation or access.
- 3.
Restrict VPC Access: If the Lambda functions are not already associated with a VPC or a specific set of subnets, configure them to operate in a VPC. This restricts access to the resources within the VPC.
- 4.
Adjust Security Group Rules: Review the security group rules associated with the Lambda functions. Ensure that they only allow access from trusted sources. Remove any rules that permit public access.
- 5.
Update IAM Policies: Inspect the IAM policies associated with the Lambda functions. Modify the policies to restrict access to authorized entities only. Remove any policies that unnecessarily allow public access.
- 6.
Test Function Invocations: After implementing the necessary changes, test the function invocations to ensure they are still functioning as expected.
- 7.
Monitor and Review Logs: Continuously monitor CloudTrail logs and other relevant logs to identify any suspicious activities or unauthorized access attempts.
By following these steps, you can effectively restrict public access to Lambda functions in the CISA Cyber Essentials framework and enhance the overall security of your serverless applications.