Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Lambda Function Execution Roles with Inline Policies

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the IAM execution role associated with each Amazon Lambda function is using managed policies instead of inline policies for simplicity and manageability.

Security
Operational
excellence

A Lambda function's execution role is an AWS Identity and Access Management (IAM) role that grants the function permission to access specific AWS services and resources. IAM execution roles for Lambda functions should avoid inline policies because customer-inline policies are embedded directly in the role, making them harder to version, audit, and modify. Using managed policies allows for easier policy management, updates, and adheres to AWS cloud best practices while enhancing security and compliance.

Audit

To determine if the IAM execution roles associated with Lambda functions are using inline policies, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the Amazon Lambda function that you want to examine.

05 Select the Configuration tab and choose Permissions to access the permissions defined for the selected Lambda resource.

06 In the Execution role section, click on the name (link) of the IAM execution role associated with the function, listed under Role name.

07 Select the Permissions tab and check the Type column for each IAM policy listed in the Permissions policies section. If the role has one or more customer-inline policies, the IAM execution role associated with the selected Amazon Lambda function is using inline policies.

08 Repeat steps no. 4 – 7 for each Amazon Lambda function created within the current AWS cloud region.

09 Change the AWS cloud region from the navigation bar and repeat the Audit process for the other AWS regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the name of each Amazon Lambda function available in the selected AWS cloud region: 

aws lambda list-functions
  --region us-east-1
  --output table
  --query 'Functions[*].FunctionName'

02 The command output should return a table with the requested function name(s): 

---------------------------------
|         ListFunctions         |
+-------------------------------+
|  cc-process-stream-function   |
|  cc-dynamo-exporter-function  |
+-------------------------------+

03 Run get-function command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to examine as the identifier parameter, to describe the Amazon Resource Name (ARN) of the IAM execution role associated with the selected function: 

aws lambda get-function
  --region us-east-1
  --function-name cc-process-stream-function
  --query 'Configuration.Role'

04 The command output should return the execution role ARN. The Amazon Resource Name (ARN) includes the role name, e.g. "cc-lambda-stream-execution-role": 

"arn:aws:iam::123456789012:role/service-role/cc-lambda-stream-execution-role"

05 Run list-role-policies command (OSX/Linux/UNIX) with custom query filters to describe the names of the inline policies associated the Lambda function execution role: 

aws iam list-role-policies
  --role-name cc-lambda-stream-execution-role
  --query 'PolicyNames'

06 The command output should return the name of each inline policy associated with the selected IAM role: 

[
	"cc-root-inline-policy",
	"cc-custom-inline-policy"
]

If the list-role-policies command output returns one or more customer-inline policies, as shown in the output example above, the IAM execution role associated with the selected Amazon Lambda function is using inline policies.

07 Repeat steps no. 3 – 6 for each Amazon Lambda function available in the selected AWS cloud region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the Audit process for other AWS regions.

Remediation / Resolution

To ensure that the IAM execution role associated with your Amazon Lambda functions is not using inline policies, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the Amazon Lambda function that you want to configure.

05 Select the Configuration tab and choose Permissions to access the permissions defined for the selected Lambda resource.

06 In the Execution role section, click on the name (link) of the IAM execution role associated with the function, listed under Role name.

07 Select the Permissions tab to access the policies attached to the IAM execution role.

08 In the Permissions policies section, perform the following operations:

  1. Select the customer-inline policy that you want to remove from the associated IAM role and choose Remove.
  2. Inside the Remove [policy-name] confirmation box, enter the inline policy name in the text input field, and choose Delete to confirm the removal.
  3. To attach managed policies, choose Add permissions, Attach policies, and select one or more managed policies that you want to attach to your IAM execution role. Choose Add permissions to apply the permission changes.

09 Repeat steps no. 4 – 8 to reconfigure the IAM execution role for other Amazon Lambda functions available within the current AWS region.

10 Change the AWS region from the navigation bar and repeat the remediation process for the other regions.

Using AWS CLI

01 Run delete-role-policy command (OSX/Linux/UNIX) to remove any customer-inline policies from the associated IAM execution role (the command does not return an output): 

aws iam delete-role-policy 
  --role-name cc-lambda-stream-execution-role
  --policy-name cc-root-inline-policy

02 Run attach-role-policy command (OSX/Linux/UNIX) to attach the required managed policies to the IAM execution role associated with your Amazon Lambda function. In the following command request example, the "AWSLambdaMQExecutionRole" managed policy provides permission to read records from an Amazon MQ broker (the command does not produce an output): 

aws iam attach-role-policy
  --role-name cc-lambda-stream-execution-role
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaMQExecutionRole

03 Repeat steps no. 1 and 2 to reconfigure the IAM execution role for other Amazon Lambda functions available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the Remediation process for other AWS regions.

References

Publication date Oct 20, 2023

Related Lambda rules