AWS Lambda CIS-like Benchmark

Prakasha M Ramachandra Prakasha M Ramachandra

Prakasha M Ramachandra

Published Jul 16, 2021
+ Follow

CIS AWS benchmark provides important starting point for setting up security governance of AWS cloud environment. Even though there is operational benchmark & AWS foundational best practices for AWS Lambda, below is a consolidated list focusing specifically on Lambda infrastructure & workload security governance.

Identity and access management:

1.1 Lambda function execution IAM role follows principle of least privilege

1.2 Lambda function policies prohibit public access

Network:

2.1 Lambda function is connected to a VPC for Internet access

2.2 Lambda function uses VPC endpoints for accessing other AWS services

2.3 Security group associated with Lambda - inbound and outbound rules follow controls specified for security groups in CIS AWS benchmark

2.4 NACL associated with subnet of Lambda function's VPC follows controls specified for NACL in CIS AWS benchmark

2.5 VPC associated with a Lambda function follows controls specified for VPC in CIS AWS benchmark

Monitoring:

3.1 Ensure a log metric filter and alarm exist for updating/getting code related to high risk Lambda function

3.2 Alert Lambda functions that are unused for X number of days

3.3 Ensure a log metric filter and alarm exist for CloudTrail event EC2::AssociateAddress corresponding to Lambda network interface

Recommended by LinkedIn

AWS KMS with Custom Key Material
AWS KMS with Custom Key Material
Akesh M 1 year ago
CloudFront VPC Origins: Enhancing Security and Efficiency
CloudFront VPC Origins: Enhancing Security and…
HASSAN GACHOKA 1 year ago
The basic things about IAM all AWS cloud engineers should know
The basic things about IAM all AWS cloud engineers…
Abdul Mateen Nagthan 2 years ago

API Gateway

4.1 Appropriate Authorizer (custom/IAM/Cognito) used in the API invoking the Lambda function

4.2 Usage plan/rate limit set of the API invoking Lambda function

4.3 WAF rules enabled in API gateway for managing API security risks (like OWASP top 10)

Lambda workload:

5.1 Latest Lambda runtimes is used

5.2 Lambda layers & dependencies in function's deployment package use latest version of the dependent packages

5.3 Lambda function code deployment method - uploaded to S3 or directly included in CloudFormation/Terraform; access control for the S3 buckets

5.3 Sensitive information is not passed as Lambda function environment variables

5.4 Secrets not hardcoded in Lambda function code

5.5 Sensitive information (like tokens) are not written into the logs generated by Lambda functions

5.6 Lambda function code review has referenced OWASP serverless top 10 security risks as one of the considerations


To view or add a comment, sign in

More articles by Prakasha M Ramachandra

See all articles

Others also viewed

Similar topics

Explore content categories