Use Customer-Managed Policies for Lambda Function Execution Roles

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the Amazon Lambda function that you want to examine.

05 Select the Configuration tab and choose Permissions to access the permissions defined for the selected Lambda resource.

06 In the Execution role section, click on the name (link) of the IAM execution role associated with the function, listed under Role name.

07 Select the Permissions tab and check the Type column for each IAM policy listed in the Permissions policies section. If the role has no customer-managed policies, the IAM execution role associated with the selected Lambda function is not configured to provide fine-grained access control.

08 Repeat steps no. 4 – 7 for each Amazon Lambda function created within the current AWS cloud region.

09 Change the AWS cloud region from the navigation bar and repeat the Audit process for the other AWS regions.

01 Run list-functions command (OSX/Linux/UNIX) to list the name of each Amazon Lambda function available in the selected AWS cloud region:

aws lambda list-functions
  --region us-east-1
  --output table
  --query 'Functions[*].FunctionName'

02 The command output should return a table with the requested function name(s):

---------------------------------
|         ListFunctions         |
+-------------------------------+
|  cc-dynamo-exporter-function  |
|  cc-process-stream-function   |
+-------------------------------+

03 Run get-function command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to examine as the identifier parameter, to describe the Amazon Resource Name (ARN) of the IAM execution role associated with the selected function:

aws lambda get-function
  --region us-east-1
  --function-name cc-dynamo-exporter-function
  --query 'Configuration.Role'

04 The command output should return the execution role ARN. The Amazon Resource Name (ARN) includes the role name, e.g. "cc-lambda-execution-role":

"arn:aws:iam::123456789012:role/service-role/cc-lambda-execution-role"

05 Run list-attached-role-policies command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Name (ARN) of each managed policy attached to the associated execution role:

aws iam list-attached-role-policies
  --role-name cc-lambda-execution-role
  --query 'AttachedPolicies[*].PolicyArn'

06 The command output should return the ARN of each managed policy attached to the selected IAM role:

[
	"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]

07 Repeat steps no. 3 – 6 for each Amazon Lambda function available in the selected AWS cloud region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the Audit process for other AWS regions.

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the Amazon Lambda function that you want to configure.

05 Select the Configuration tab and choose Permissions to access the permissions defined for the selected Lambda resource.

06 In the Execution role section, click on the name (link) of the IAM execution role associated with the function, listed under Role name.

07 Select the Permissions tab to access the policies attached to the IAM execution role.

08 In the Permissions policies section, perform the following actions based on the policy type:

1. For AWS-managed policies:
   • Select the AWS-managed policy that you want to detach from the associated IAM role and choose Remove.
   • Inside the Remove [policy-name] confirmation box, choose Delete to confirm the removal.
2. For customer-inline policies:
   • Select the inline policy that you want to remove from the associated IAM role and choose Remove.
   • Inside the Remove [policy-name] confirmation box, enter the inline policy name in the text input field, and choose Delete to confirm the removal.
3. To attach customer-managed IAM policies, choose Add permissions, Attach policies, and select one or more customer-managed policies that you want to attach to your IAM execution role. Choose Add permissions to apply the permission changes.

09 Repeat steps no. 4 – 8 to reconfigure the IAM execution role for other Amazon Lambda functions available within the current AWS region.

10 Change the AWS region from the navigation bar and repeat the remediation process for the other regions.

01 Run detach-role-policy command (OSX/Linux/UNIX) to remove the AWS-managed policies from the IAM execution role associated with your Amazon Lambda function (the command does not produce an output):

aws iam detach-role-policy
  --role-name cc-lambda-execution-role
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

02 Run delete-role-policy command (OSX/Linux/UNIX) to remove the customer-inline policies from the associated IAM execution role (the command does not return an output):

aws iam delete-role-policy 
  --role-name cc-lambda-execution-role
  --policy-name cc-lambda-inline-policy

03 Run attach-role-policy command (OSX/Linux/UNIX) to attach customer-managed policies to the IAM execution role associated with your Amazon Lambda function (the command does not produce an output):

aws iam attach-role-policy
  --role-name cc-lambda-execution-role
  --policy-arn arn:aws:iam::466594415815:policy/cc-customer-managed-policy

04 Repeat steps no. 1 and 2 to reconfigure the IAM execution role for other Amazon Lambda functions available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the Remediation process for other AWS regions.