Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use AWS-Managed Policies for Lambda Function Execution Roles

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the IAM execution role associated with each Amazon Lambda function is using AWS-managed policies instead of customer-managed or inline policies in order to enhance security by implementing the Principle of Least Privilege (POLP) and ensure consistency.

Security
Operational
excellence

A Lambda function's execution role is an AWS Identity and Access Management (IAM) role that grants the function permission to access specific AWS services and resources. For example, you can attach an execution role for development purposes that has permission to send logs to Amazon CloudWatch Logs, to upload trace data to AWS X-Ray, or to read events from an Amazon Kinesis data stream or consumer. Using AWS-managed policies for IAM execution roles ensures security by granting minimum necessary permissions through expert-curated policies. This minimizes risks, simplifies management, and maintains compliance with evolving AWS cloud services.

Audit

To determine if the IAM execution roles associated with Lambda functions are using AWS-managed policies, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the Amazon Lambda function that you want to examine.

05 Select the Configuration tab and choose Permissions to access the permissions defined for the selected Lambda resource.

06 In the Execution role section, click on the name (link) of the IAM execution role associated with the function, listed under Role name.

07 Select the Permissions tab and check the Type column for each IAM policy listed in the Permissions policies section. If the role has one or more customer managed or customer inline policies, the IAM execution role associated with the selected Lambda function is not configured to use only AWS-managed policies.

08 Repeat steps no. 4 – 7 for each Amazon Lambda function created within the current AWS cloud region.

09 Change the AWS cloud region from the navigation bar and repeat the Audit process for the other AWS regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the name of each Amazon Lambda function available in the selected AWS cloud region: 

aws lambda list-functions
  --region us-east-1
  --output table
  --query 'Functions[*].FunctionName'

02 The command output should return a table with the requested function name(s): 

---------------------------------
|         ListFunctions         |
+-------------------------------+
|  cc-process-stream-function   |
|  cc-dynamo-exporter-function  |
+-------------------------------+

03 Run get-function command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to examine as the identifier parameter, to describe the Amazon Resource Name (ARN) of the IAM execution role associated with the selected function: 

aws lambda get-function
  --region us-east-1
  --function-name cc-process-stream-function
  --query 'Configuration.Role'

04 The command output should return the execution role ARN. The Amazon Resource Name (ARN) includes the role name, e.g. "cc-lambda-stream-execution-role": 

"arn:aws:iam::123456789012:role/service-role/cc-lambda-stream-execution-role"

05 Run list-attached-role-policies command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Name (ARN) of each managed policy attached to the associated execution role: 

aws iam list-attached-role-policies
  --role-name cc-lambda-stream-execution-role
  --query 'AttachedPolicies[*].PolicyArn'

06 The command output should return the ARN of each managed policy attached to the selected IAM role: 

[
	"arn:aws:iam::466594415815:policy/cc-customer-managed-policy"
]

If the list-attached-role-policies command output returns one or more customer-managed policies (i.e. "arn:aws:iam::[account-id]:policy/[policy-name]"), as shown in the output example above, the IAM execution role associated with the selected Lambda function is not configured to use only AWS-managed policies.

07 Run list-role-policies command (OSX/Linux/UNIX) with custom filtering to describe the name of each inline policy attached to the associated IAM role: 

aws iam list-role-policies
  --role-name cc-lambda-stream-execution-role
  --query 'PolicyNames'

08 The command output should return the name of each inline policy associated with the selected IAM role: 

[
	"cc-lambda-inline-policy"
]

If the list-role-policies command output returns one or more inline policies, as shown in the output example above, the IAM execution role associated with the selected Lambda function is not configured to use only AWS-managed policies.

09 Repeat steps no. 3 – 8 for each Amazon Lambda function available in the selected AWS cloud region.

10 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the Audit process for other AWS regions.

Remediation / Resolution

To ensure that the IAM execution role associated with your Amazon Lambda functions is using AWS-managed policies only, perform the following actions:
The following AWS-managed policies are designed and tested by AWS and provide the permissions required to use all the Amazon Lambda features:

  • "AWSLambdaBasicExecutionRole" – permission to upload logs to Amazon CloudWatch Logs.
  • "AWSLambdaDynamoDBExecutionRole" – permission to read records from an Amazon DynamoDB stream.
  • "AWSLambdaKinesisExecutionRole" – permission to read events from an Amazon Kinesis data stream or consumer.
  • "AWSLambdaMQExecutionRole" – permission to read records from an Amazon MQ broker.
  • "AWSLambdaMSKExecutionRole" – permission to read records from an Amazon Managed Streaming for Apache Kafka (Amazon MSK) cluster.
  • "AWSLambdaSQSQueueExecutionRole" – permission to read a message from an Amazon Simple Queue Service (Amazon SQS) queue.
  • "AWSLambdaVPCAccessExecutionRole" – permission to manage elastic network interfaces to connect your function to a virtual private cloud (VPC).
  • "AWSXRayDaemonWriteAccess" – permission to upload trace data to X-Ray.
  • "CloudWatchLambdaInsightsExecutionRolePolicy" – permission to write runtime metrics to CloudWatch Lambda Insights.
  • "AmazonS3ObjectLambdaExecutionRolePolicy" – permission to interact with Amazon S3 object Lambda and to write to CloudWatch Logs.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the Amazon Lambda function that you want to configure.

05 Select the Configuration tab and choose Permissions to access the permissions defined for the selected Lambda resource.

06 In the Execution role section, click on the name (link) of the IAM execution role associated with the function, listed under Role name.

07 Select the Permissions tab to access the policies attached to the IAM execution role.

08 In the Permissions policies section, perform the following actions based on the policy type:

  1. For customer-managed policies:
    • Select the customer-managed policy that you want to detach from the associated IAM role and choose Remove.
    • Inside the Remove [policy-name] confirmation box, choose Delete to confirm the removal.
  2. For customer-inline policies:
    • Select the inline policy that you want to remove from the associated IAM role and choose Remove.
    • Inside the Remove [policy-name] confirmation box, enter the inline policy name in the text input field, and choose Delete to confirm the removal.
  3. To attach AWS-managed policies, choose Add permissions, Attach policies, and select one or more AWS-managed policies that you want to attach to your IAM execution role. Choose Add permissions to apply the permission changes.

09 Repeat steps no. 4 – 7 to reconfigure the IAM execution role for other Amazon Lambda functions available within the current AWS region.

10 Change the AWS region from the navigation bar and repeat the remediation process for the other regions.

Using AWS CLI

01 Run detach-role-policy command (OSX/Linux/UNIX) to remove the customer-managed policies from the IAM execution role associated with your Amazon Lambda function (the command does not produce an output): 

aws iam detach-role-policy
  --role-name cc-lambda-stream-execution-role
  --policy-arn arn:aws:iam::466594415815:policy/cc-customer-managed-policy

02 Run delete-role-policy command (OSX/Linux/UNIX) to remove the customer-inline policies from the associated IAM execution role (the command does not return an output): 

aws iam delete-role-policy 
  --role-name cc-lambda-stream-execution-role
  --policy-name cc-lambda-inline-policy

03 Run attach-role-policy command (OSX/Linux/UNIX) to attach the required AWS-managed policies to the IAM execution role associated with your Amazon Lambda function. In the following command request example, the "AWSLambdaBasicExecutionRole" managed policy provides permission to upload Amazon Lambda function logs to Amazon CloudWatch Logs (the command does not produce an output): 

aws iam attach-role-policy
  --role-name cc-lambda-stream-execution-role
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

04 Repeat steps no. 1 and 2 to reconfigure the IAM execution role for other Amazon Lambda functions available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the Remediation process for other AWS regions.

References

Publication date Oct 20, 2023

Related Lambda rules