Ensure that your Amazon Lambda functions do not share the same AWS IAM execution role

It is recommended to have one IAM role per each Lambda function in order to follow the Principle of Least Privilege. This way you can ensure that your Lambda functions will have the minimum privileges needed to perform the required tasks.

Risk Level: Low
Cloud Entity: AWS Lambda
CloudGuard Rule ID: D9.AWS.IAM.45
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

List<Lambda> should not have items groupBy [executionRoleArn] contain [values length() > 1]

REMEDIATION

From Portal:

  1. Navigate to Lambda dashboard at https://console.aws.amazon.com/lambda/.
  2. In the navigation panel, go to AWS Lambda section and select Functions.
  3. Choose the relevant Lambda function, and click on it to access its configuration page.
  4. Select the Configuration tab and click Permission option.
  5. In the Execution role section, choose Edit to change the role that defines the permissions for the selected Functions.
  6. On the Edit basic settings configuration page, perform one of the following operations.
    a. To associate the function with an existing IAM role, choose 'Use an existing role' from the 'Execution role', and select the required role from the 'Existing role' dropdown list. The chosen IAM role can't be associated with another Lambda function and must follow the Principle of Least Privilege. Choose 'Save' to apply the configuration changes.
    b. To apply a new execution role to your Lambda function, choose 'Create a new role from AWS policy templates' to create a new execution role for the selected Amazon Lambda function. Provide a unique name for the new role in the 'Role name' box and select one or more policy templates from the 'Policy templates' dropdown list. Based on your function's access requirements, select the necessary permission sets from the 'Policy templates - optional' dropdown list. Choose 'Save' to apply the changes.

From Command Line

  1. Create the trust relationship policy required for the execution role. Save the following policy document to a JSON file named cc-execution-role-trust-policy.json.
    Note: This trust policy allows Amazon Lambda to use the role's permissions by giving the service principal 'lambda.amazonaws.com' permission to call the AWS Security Token Service 'AssumeRole' action. To create the required trust policy for the new IAM role. Example below trust-policy.json

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}

  1. Run following command to create a new IAM execution role using the trust relationship policy:
aws iam create-role --role-name new_lambda_execution_role_name --assume-role-policy-document file://example_policy.json.json
  1. Run following command to attach an AWS-managed policy to the newly created execution role.
    Note: In below example the 'AWSLambdaSQSQueueExecutionRole' managed policy provides permission to read a message from an Amazon SQS queue.
aws iam attach-role-policy --role-name new_lambda_execution_role_name --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole
  1. Run following command using the name of the Amazon Lambda function that you want to reconfigure as the identifier parameter, to replace the shared execution role with the new IAM role created and configured in the previous steps.
    Note: Put new Lambda execution role ARN for --role command syntax
aws lambda update-function-configuration --region region_name --function-name function_name --role arn:aws:iam::123456789012:role/new_lambda_execution_role_name

References:

  1. https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html
  2. https://docs.aws.amazon.com/lambda/latest/dg/getting-started.html
  3. https://docs.aws.amazon.com/lambda/latest/dg/lambda-permissions.html
  4. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-role.html
  5. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/attach-role-policy.html
  6. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/update-function-configuration.html

AWS Lambda

AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running.

With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.

Compliance Frameworks

  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset