Ensure that Amazon Lambda functions are referencing active execution roles

Verify that Amazon Lambda functions are configured to reference active execution roles. This ensures that the functions have the necessary permissions and can operate effectively within your AWS environment, maintaining reliable and secure execution.

Risk Level: Low
Cloud Entity: AWS Lambda
CloudGuard Rule ID: D9.AWS.IAM.115
Covered by Spectral: No
Category: Compute

GSL LOGIC

Lambda should have executionRole

REMEDIATION

From Portal

  1. Navigate to Amazon Lambda console.
  2. under AWS Lambda, choose Functions and choose the function you want to configure.
  3. Click on Configuration and choose premissions
  4. In the Execution role section, choose Edit to change the role that defines the permissions for the selected function.
  5. Enter to the Edit basic settings and follow one of this actions
  6. Select 'Use an existing role' if you've already created an execution role for your Lambda function. From the dropdown list, choose the required IAM role and save your selection.
    Alternatively, opt for 'Create a new role from AWS policy templates' to establish a new execution role for your Lambda function. Assign a unique name in the 'Role name' field and pick one or more policy templates from the 'Policy templates' menu. (If you skip selecting policy templates, the Lambda function's execution role will only have permission to store logs in Amazon CloudWatch Logs). For features like X-Ray active tracing, additional permissions may be necessary. Based on your function's access needs, choose the relevant permission sets from the 'Policy templates - optional' dropdown and save your changes.

From TF

provider 'aws'{
	region = 'YOUR_REGION'
}
resource 'aws_lambda_function' 'example_lambda' {
	function_name = 'example_lambda_function'
	role         = 'arn:aws:iam::'YOUR_ACCOUNT_ID':role/'NEW_ROLE_NAME'
}

From Command Line
Run this command using the name of the Amazon Lambda function that you want to examine as the identifier parameter

aws lambda get-function --region 'YOUR_REGION' --function-name 'YOUR_LAMBDA_NAME' --query 'Configuration.Role'

Run this command using the ARN you got from last command in order to get the configuration information.

aws iam get-role --role-name 'YOUR_FUNCTION_EXECUTION_ROLE'

If the get-role command output returns a 'NoSuchEntity' error message instead of the role's configuration information the execution role associated with the selected Amazon Lambda function is no longer available

References

  1. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission
  2. https://docs.aws.amazon.com/lambda/latest/dg/lambda-permissions.html

AWS Lambda

AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running.

With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.

Compliance Frameworks

  • CloudGuard AWS All Rules Ruleset