Rule: Lambda functions should restrict public access

Rule Description:

Troubleshooting Steps:

2. 1.

   Review Lambda Function Configuration: Verify the current configuration of the Lambda function to determine if public access is enabled. Look for any misconfigurations or missing security settings.

4. 2.

   Check VPC Configuration: Ensure that the Lambda function is properly associated with a Virtual Private Cloud (VPC) if required. If the function is not associated with a VPC, it might have unintended public access.

6. 3.

   Review Access Control Policies: Check the access control policies attached to the Lambda function. Examine both the function-level and resource-level policies to confirm that they restrict public access.

8. 4.

   Evaluate Network Connectivity: Assess the network connectivity options for the Lambda function. Ensure that it is not accessible to the public via an internet gateway, NAT gateway, or any other network configuration that allows public access.

10. 5.

    Check for Public Subnet Assignment: If the Lambda function is associated with a VPC, verify that it is not assigned to a subnet that has public internet access. Lambda functions in public subnets can have public access by default if not properly configured.

12. 6.

    Audit Security Group Rules: Review the associated security groups and their inbound and outbound rules. Check if there are any rules that allow ingress traffic from the public internet. Adjust the security group rules as necessary to restrict access to authorized entities only.

Necessary Code:

// Example using AWS SDK for JavaScript
var AWS = require('aws-sdk');
var lambda = new AWS.Lambda({apiVersion: '2015-03-31'});

// Specify the Lambda function name
var functionName = 'Your_Lambda_Function_Name';

// Define the desired VPC configuration
var vpcConfig = {
    VpcId: 'Your_VPC_ID',
    SubnetIds: ['Your_Subnet_IDs'],
    SecurityGroupIds: ['Your_Security_Group_IDs']
};

// Update the function's VPC configuration to restrict public access
var params = {
    FunctionName: functionName,
    VpcConfig: vpcConfig
};

lambda.updateFunctionConfiguration(params, function(err, data) {
    if (err) console.log(err, err.stack);
    else console.log(data);
});

Step-by-Step Guide for Remediation:

2. 1.

   Open AWS Lambda Console: Sign in to the AWS Management Console and navigate to the AWS Lambda service.

4. 2.

   Select the Lambda Function: Locate and select the Lambda function that requires public access restriction.

6. 3.

   Click on "Configuration": In the function overview page, click on the "Configuration" tab.

8. 4.

   Review Existing Configuration: Scroll down to review the current configuration of the Lambda function. Check for any existing VPC association and security settings.

10. 5.

    Modify VPC Configuration: If the function is not already associated with a VPC, you will need to create or select an existing VPC. Ensure that the associated subnets and security groups provide the desired level of network isolation.

12. 6.

    Click "Save": After modifying the VPC configuration, click the "Save" button at the top-right corner of the page to apply the changes.

14. 7.

    Test Function Connectivity (Optional): Validate the updated configuration by executing test cases on the Lambda function. Ensure that the function behaves as expected and has the necessary network connectivity within the designated VPC.

16. 8.

    Monitor Logs: Monitor the Lambda function's logs and associated metrics to identify any potential issues or anomalies following the configuration changes. Make adjustments as needed.