Rule: Lambda functions should restrict public access
This rule emphasizes the importance of restricting public access for Lambda functions.
| Rule | Lambda functions should restrict public access |
| Framework | GxP 21 CFR Part 11 |
| Severity | ✔ Critical |
Rule Description:
The rule requires Lambda functions to restrict public access for GxP (Good Practice) 21 CFR (Code of Federal Regulations) Part 11 compliance. This ensures that Lambda functions that handle sensitive data or perform critical operations adhere to the security requirements outlined in the GxP 21 CFR Part 11 guidelines.
Rule Policy:
Lambda functions must have the necessary configurations to prevent public access and enforce GxP 21 CFR Part 11 compliance. Any publicly accessible Lambda functions should be restricted to reduce the risk of unauthorized access or data breaches.
Troubleshooting Steps:
- 1.
Identify publicly accessible Lambda functions:
- Use the AWS Management Console or AWS CLI to list all Lambda functions in your account.
- Look for functions that have open permissions or are configured to allow public access.
- 2.
Review function permissions:
- Analyze the permissions and access controls applied to each Lambda function.
- Ensure that there are no policies allowing unrestricted public access.
- 3.
Update function policies:
- For any publicly accessible functions, modify their function policies to restrict access.
- Adjust the resource-based policies or IAM (Identity and Access Management) policies to enforce GxP 21 CFR Part 11 compliance.
Code Snippets:
- 1.AWS CLI - Listing Lambda functions:
aws lambda list-functions --region <region-name>
- 1.AWS CLI - Viewing function policies:
aws lambda get-policy --function-name <function-name> --region <region-name>
- 1.AWS CLI - Updating function policies:
aws lambda add-permission --function-name <function-name> --region <region-name> \ --statement-id <unique-id> --action lambda:InvokeFunction --principal <account-id> \ --source-arn arn:aws:execute-api:<region-name>:<account-id>:<api-gateway-id>/*/POST/<path>
Remediation Steps:
- 1.
Identify publicly accessible Lambda functions:
- Run the AWS CLI command
to obtain a list of all Lambda functions in your account.aws lambda list-functions
- 2.
Review function permissions:
- Use the AWS CLI command
for each Lambda function to view their current policies.aws lambda get-policy --function-name <function-name> - Analyze the policies to identify any open permissions or public access configurations.
- 3.
Update function policies:
- For each publicly accessible function, use the AWS CLI command
to update the function's policy.aws lambda add-permission - Replace
with the name of the Lambda function you want to modify, and<function-name>
with the appropriate AWS region.<region-name> - Specify a unique
for the statement ID.<unique-id> - Adjust the
and--principal
parameters based on your specific requirements.--source-arn - Repeat this step for all publicly accessible Lambda functions.
- 4.
Verify changes:
- Run the AWS CLI command
to confirm that the policy has been updated successfully.aws lambda get-policy --function-name <function-name> - Ensure that the functions no longer allow public access.
Final Notes:
Adhering to the GxP 21 CFR Part 11 guidelines by restricting public access for Lambda functions helps maintain the security and compliance of sensitive data and critical operations. Regularly reviewing and updating function policies is necessary to mitigate the risk of unauthorized access and potential data breaches.