Ensure no Lambda allows ingress from 0.0.0.0/0 to remote server administration ports

Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress to ports used for remote administration purposes.

Risk Level: High
Cloud Entity: AWS Lambda
CloudGuard Rule ID: D9.AWS.NET.75
Covered by Spectral: No
Category: Compute

GSL LOGIC

Lambda should not have inboundRules with [scope in ('0.0.0.0/0', '::/0') and portTo in (22, 115, 137, 2049, 3389)]

REMEDIATION

From Portal

  1. Open the Functions page of the Lambda console.
  2. Choose a function.
  3. Choose Configuration and then choose VPC.
  4. Under VPC, choose Edit.
  5. Select only those subnets and security groups that do not have any inbound rules allowing wide access.
  6. Choose Save.

From TF
Set vpc_config terraform property as shown to use restrictive security groups:

resource "aws_lambda_function" "example" {
	...
	vpc_config {
		subnet_ids         = [SUBNET-IDs]
		security_group_ids = [SECURITY-GROUP-IDs]
	}
}

From Command Line
To update vpc config of a lambda to use restrictive security groups, run:

aws lambda update-function-configuration --function-name FUNCTION-NAME --vpc-config SubnetIds=SUBNET-IDs,SecurityGroupIds=SECURITY-GROUP-IDs

References

  1. https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc-endpoints.html
  2. https://docs.aws.amazon.com/cli/latest/reference/lambda/update-function-configuration.html

AWS Lambda

AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running.

With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.

Compliance Frameworks

  • AWS CIS Controls V 8
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS ISO27001:2022
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5
  • AWS PCI-DSS 4.0
  • AWS Security Risk Management
  • CloudGuard AWS All Rules Ruleset