Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use Customer-Managed Policies for Lambda Function Execution Roles

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the IAM execution roles associated with your Amazon Lambda functions are using customer-managed policies, also known as user-managed policies, to provide fine-grained access control for your Lambda functions.

Security
Operational
excellence

A Lambda function's execution role is an AWS Identity and Access Management (IAM) role that grants the function permission to access specific AWS services and resources. For example, a function's execution role can provide the necessary permissions to send logs to Amazon CloudWatch Logs or to read events from an Amazon Kinesis data stream or consumer. In most cases, AWS-managed policies should be enough for granting access to main services and resources. However, using customer-managed policies instead of AWS-managed policies for Lambda execution roles should provide fine-grained control over permissions, allowing tailored access to AWS cloud resources. This approach suits complex use cases where AWS-managed policies might be too broad or too limited, ensuring precise permissions while adhering to the Principle of Least Privilege.


Audit

To determine if the IAM execution roles associated with your Lambda functions are using customer-managed policies, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the Amazon Lambda function that you want to examine.

05 Select the Configuration tab and choose Permissions to access the permissions defined for the selected Lambda resource.

06 In the Execution role section, click on the name (link) of the IAM execution role associated with the function, listed under Role name.

07 Select the Permissions tab and check the Type column for each IAM policy listed in the Permissions policies section. If the role has no customer-managed policies, the IAM execution role associated with the selected Lambda function is not configured to provide fine-grained access control.

08 Repeat steps no. 4 – 7 for each Amazon Lambda function created within the current AWS cloud region.

09 Change the AWS cloud region from the navigation bar and repeat the Audit process for the other AWS regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the name of each Amazon Lambda function available in the selected AWS cloud region:

aws lambda list-functions
  --region us-east-1
  --output table
  --query 'Functions[*].FunctionName'

02 The command output should return a table with the requested function name(s):

---------------------------------
|         ListFunctions         |
+-------------------------------+
|  cc-dynamo-exporter-function  |
|  cc-process-stream-function   |
+-------------------------------+

03 Run get-function command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to examine as the identifier parameter, to describe the Amazon Resource Name (ARN) of the IAM execution role associated with the selected function:

aws lambda get-function
  --region us-east-1
  --function-name cc-dynamo-exporter-function
  --query 'Configuration.Role'

04 The command output should return the execution role ARN. The Amazon Resource Name (ARN) includes the role name, e.g. "cc-lambda-execution-role":

"arn:aws:iam::123456789012:role/service-role/cc-lambda-execution-role"

05 Run list-attached-role-policies command (OSX/Linux/UNIX) with custom query filters to list the Amazon Resource Name (ARN) of each managed policy attached to the associated execution role:

aws iam list-attached-role-policies
  --role-name cc-lambda-execution-role
  --query 'AttachedPolicies[*].PolicyArn'

06 The command output should return the ARN of each managed policy attached to the selected IAM role:

[
	"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]

A customer-managed IAM policy has the following format: arn:aws:iam::[account-id]:policy/[policy-name]. If the list-attached-role-policies command output does not return any customer-managed policies, as shown in the output example above, the IAM execution role associated with the selected Amazon Lambda function is not configured to provide fine-grained access control.

07 Repeat steps no. 3 – 6 for each Amazon Lambda function available in the selected AWS cloud region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the Audit process for other AWS regions.

Remediation / Resolution

To ensure that the IAM execution role associated with your Amazon Lambda functions is using customer-managed policies only, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the Amazon Lambda function that you want to configure.

05 Select the Configuration tab and choose Permissions to access the permissions defined for the selected Lambda resource.

06 In the Execution role section, click on the name (link) of the IAM execution role associated with the function, listed under Role name.

07 Select the Permissions tab to access the policies attached to the IAM execution role.

08 In the Permissions policies section, perform the following actions based on the policy type:

  1. For AWS-managed policies:
    • Select the AWS-managed policy that you want to detach from the associated IAM role and choose Remove.
    • Inside the Remove [policy-name] confirmation box, choose Delete to confirm the removal.
  2. For customer-inline policies:
    • Select the inline policy that you want to remove from the associated IAM role and choose Remove.
    • Inside the Remove [policy-name] confirmation box, enter the inline policy name in the text input field, and choose Delete to confirm the removal.
  3. To attach customer-managed IAM policies, choose Add permissions, Attach policies, and select one or more customer-managed policies that you want to attach to your IAM execution role. Choose Add permissions to apply the permission changes.

09 Repeat steps no. 4 – 8 to reconfigure the IAM execution role for other Amazon Lambda functions available within the current AWS region.

10 Change the AWS region from the navigation bar and repeat the remediation process for the other regions.

Using AWS CLI

01 Run detach-role-policy command (OSX/Linux/UNIX) to remove the AWS-managed policies from the IAM execution role associated with your Amazon Lambda function (the command does not produce an output):

aws iam detach-role-policy
  --role-name cc-lambda-execution-role
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

02 Run delete-role-policy command (OSX/Linux/UNIX) to remove the customer-inline policies from the associated IAM execution role (the command does not return an output):

aws iam delete-role-policy 
  --role-name cc-lambda-execution-role
  --policy-name cc-lambda-inline-policy

03 Run attach-role-policy command (OSX/Linux/UNIX) to attach customer-managed policies to the IAM execution role associated with your Amazon Lambda function (the command does not produce an output):

aws iam attach-role-policy
  --role-name cc-lambda-execution-role
  --policy-arn arn:aws:iam::466594415815:policy/cc-customer-managed-policy

04 Repeat steps no. 1 and 2 to reconfigure the IAM execution role for other Amazon Lambda functions available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the Remediation process for other AWS regions.

References

Publication date Oct 20, 2023