Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Using An IAM Role For More Than One Lambda Function

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Lambda-006

Ensure that your Amazon Lambda functions do not share the same execution role in order to promote the Principle of Least Privilege (POLP) by providing each individual function the minimal amount of access required to perform its tasks. There should always be a one-to-one relationship between the Lambda functions and their execution roles, meaning that each Lambda function should have its own IAM execution role, therefore this role should not be shared between functions.

This rule can help you with the following compliance standards:

  • PCI
  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

The permissions assumed by an Amazon Lambda function are determined by the execution role associated with the function. Using this IAM role with more than one Lambda function will violate the Principle of Least Privilege. With the right IAM role, you can control the privileges that your Lambda function has, thus instead of providing full or generic permissions, you should grant each execution role the permissions that your function really needs.


Audit

To identify Amazon Lambda functions that share the same execution role, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the function that you want to examine.

05 Select the Configuration tab and choose Permissions from the left menu.

06 Note the name of the IAM role listed in the Execution role section, under Role name. This IAM is the role that defines the access permissions for the selected function.

07 Navigate back to the Functions page and repeat steps no. 4 – 6 for all the Lambda functions created within the selected AWS region. If two or more Amazon Lambda functions share the same execution role, the permissions configuration available for your Amazon Lambda functions violates the Principle of Least Privilege (POLP), making the current configuration non-compliant.

08 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the name of each Amazon Lambda function available in the selected AWS cloud region:

aws lambda list-functions
	--region us-east-1
  --output table
	--query 'Functions[*].FunctionName'

02 The command output should return a table with the requested function name(s):

---------------------
|   ListFunctions   |
+-------------------+
|   cc-sqs-poller   |
|   cc-s3-logging   |
|   s3-get-object   |
+-------------------+

03 Run get-function command (OSX/Linux/UNIX) using the name of the Lambda function that you want to examine as the identifier parameter, to describe the Amazon Resource Name (ARN) of the IAM role that Amazon Lambda assumes when it executes the selected function (i.e. the function's execution role):

aws lambda get-function
  --region us-east-1
  --function-name cc-sqs-poller
  --query 'Configuration.Role'

04 The command output should return the ARN of the IAM role (execution role) associated with the selected Lambda function:

"arn:aws:iam::123456789012:role/aws-lambda-full-access"

05 Repeat steps no. 3 and 4 for all the Amazon Lambda functions deployed in the selected AWS region and compare the IAM role ARNs. If two or more Amazon Lambda functions share the same execution role, the permissions configuration available for your Amazon Lambda functions violates the Principle of Least Privilege (POLP).

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To implement the Principle of Least Privilege (POLP) and create a separate IAM role (with the right set of permissions) for each individual Amazon Lambda function, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name of the function that you want to reconfigure.

05 Select the Configuration tab and choose Permissions from the left menu.

06 In the Execution role section, choose Edit to change the role that defines the permissions for the selected function (i.e. execution role).

07 On the Edit basic settings configuration page, perform one of the following operations:

  1. To associate the function with an existing IAM role, choose Use an existing role from the Execution role, and select the required role from the Existing role dropdown list. The chosen IAM role can't be associated with another Lambda function and must follow the Principle of Least Privilege (POLP). Choose Save to apply the configuration changes.
  2. To apply a new execution role to your Lambda function, choose Create a new role from AWS policy templates to create a new execution role for the selected Amazon Lambda function. Provide a unique name for the new role in the Role name box and select one or more policy templates from the Policy templates dropdown list. Based on your function's access requirements, select the necessary permission sets from the Policy templates - optional dropdown list. Choose Save to apply the changes.

08 Navigate back to the Functions page and repeat steps no. 4 – 7 for each Amazon Lambda function that shares the execution role with other functions, available within the current AWS region.

09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for the other regions.

Using AWS CLI

01 Create the trust relationship policy required for the execution role. This trust policy allows Amazon Lambda to use the role's permissions by giving the service principal "lambda.amazonaws.com" permission to call the AWS Security Token Service "AssumeRole" action. To create the required trust policy for the new IAM role, save the following policy document to a JSON file named cc-execution-role-trust-policy.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
    "Effect": "Allow",
    "Principal": {
      "Service": "lambda.amazonaws.com"
    },
    "Action": "sts:AssumeRole"
    }
  ]
}

02 Run create-role command (OSX/Linux/UNIX) to create a new IAM execution role using the trust relationship policy defined at the previous step:

aws iam create-role
  --role-name cc-new-lambda-execution-role
  --assume-role-policy-document file://cc-execution-role-trust-policy.json.json

03 The command output should return the metadata available for the new IAM role:

{
  "Role": {
    "AssumeRolePolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Effect": "Allow",
          "Principal": {
            "Service": "lambda.amazonaws.com"
          }
        }
      ]
    },
    "RoleId": "AAAABBBBCCCCDDDDEEEEF",
    "CreateDate": "2021-08-29T10:00:00Z ",
    "RoleName": "cc-new-lambda-execution-role",
    "Path": "/",
    "Arn": "arn:aws:iam::123456789012:role/cc-new-lambda-execution-role"
  }
}

04 The following AWS-managed policies provide permissions that are required to use Amazon Lambda features (see the official documentation for the updated list of managed policies):

  1. "AWSLambdaBasicExecutionRole" – permission to upload logs to Amazon CloudWatch Logs.
  2. "AWSLambdaDynamoDBExecutionRole" – permission to read records from an Amazon DynamoDB stream.
  3. "AWSLambdaKinesisExecutionRole" – permission to read events from an Amazon Kinesis data stream or consumer.
  4. "AWSLambdaMQExecutionRole" – permission to read records from an Amazon MQ broker.
  5. "AWSLambdaMSKExecutionRole" – permission to read records from an Amazon Managed Streaming for Apache Kafka (Amazon MSK) cluster.
  6. "AWSLambdaSQSQueueExecutionRole" – permission to read a message from an Amazon Simple Queue Service (Amazon SQS) queue.
  7. "AWSLambdaVPCAccessExecutionRole" – permission to manage elastic network interfaces to connect your function to a virtual private cloud (VPC).
  8. "AWSXRayDaemonWriteAccess" – permission to upload trace data to X-Ray.
  9. "CloudWatchLambdaInsightsExecutionRolePolicy" – permission to write runtime metrics to CloudWatch Lambda Insights.

05 Run attach-role-policy command (OSX/Linux/UNIX) to attach an AWS-managed policy to the newly created execution role. Based on your function's access requirements, choose the appropriate policy from the list of managed policies described at the previous step. In the following command request example, the "AWSLambdaSQSQueueExecutionRole" managed policy provides permission to read a message from an Amazon SQS queue (the command does not produce an output):

aws iam attach-role-policy
  --role-name cc-new-lambda-execution-role
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole

06 Run update-function-configuration command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to reconfigure as the identifier parameter, to replace the shared execution role with the new IAM role created and configured at the previous steps:

aws lambda update-function-configuration
  --region us-east-1
  --function-name cc-sqs-poller
  --role arn:aws:iam::123456789012:role/cc-new-lambda-execution-role

07 The command output should return the metadata available for the reconfigured function:

{
  "LastUpdateStatus": "Successful",
  "FunctionName": "cc-sqs-poller",
  "LastModified": "2021-08-29T11:00:00.000+0000",
  "RevisionId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
  "MemorySize": 128,
  "State": "Active",
  "Version": "$LATEST",
  "Role": "arn:aws:iam::123456789012:role/cc-new-lambda-execution-role",
  "Timeout": 45,
  "Runtime": "nodejs12.x",
  "TracingConfig": {
    "Mode": "PassThrough"
  },
  "CodeSha256": "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcd",
  "Description": "",
  "CodeSize": 403,
  "FunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:cc-sqs-poller",
  "Handler": "index.handler"
}

08 Repeat steps no. 1 – 7 for each Amazon Lambda function that shares the execution role with other functions, available in the selected AWS region. Make sure that each Lambda function uses its own IAM execution role with the right set of permissions in order to promote the Principle of Least Privilege.

09 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the Remediation process for other regions.

References

Publication date Dec 19, 2017