AWS Lambda controls
These controls are related to Lambda resources.
These controls may not be available in all AWS Regions. For more information, see Availability of controls by Region.
[Lambda.1] Lambda function policies should prohibit public access
Related requirements: PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.4, PCI DSS v3.2.1/7.2.1, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Category: Protect > Secure network configuration
Severity: Critical
Resource type:
AWS::Lambda::Function
AWS Config rule:
lambda-function-public-access-prohibited
Schedule type: Change triggered
Parameters: None
This control checks whether the Lambda function resource-based policy prohibits public
access outside of your account. The control fails if public access is permitted. The control also
fails if a Lambda function is invoked from Amazon S3, and the policy doesn't
include a condition to limit public access, such as AWS:SourceAccount
. We recommend using
other S3 conditions along with AWS:SourceAccount
in your bucket policy for more refined access.
The Lambda function should not be publicly accessible, as this may allow unintended access to your function code.
Remediation
To remediate this issue, you must update your function's resource-based policy to remove permissions or to add the
AWS:SourceAccount
condition. You can only update the resource-based policy from
the Lambda API or AWS CLI.
To start,
review the resource-based policy on the Lambda console. Identify the policy statement that has
Principal
field values that make the policy public, such as
"*"
or { "AWS": "*" }
.
You cannot edit the policy from the console. To remove permissions from the function,
run the remove-permission
command from the AWS CLI.
$ aws lambda remove-permission --function-name
<function-name>
--statement-id<statement-id>
Replace
with the name of the
Lambda function, and <function-name>
with the
statement ID (<statement-id>
Sid
) of the statement that you want to remove.
[Lambda.2] Lambda functions should use supported runtimes
Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 SI-2, NIST.800-53.r5 SI-2(2), NIST.800-53.r5 SI-2(4), NIST.800-53.r5 SI-2(5)
Category: Protect > Secure development
Severity: Medium
Resource type:
AWS::Lambda::Function
AWS Config rule:
lambda-function-settings-check
Schedule type: Change triggered
Parameters:
-
runtime
:dotnet6, go1.x, java17, java11, java8, java8.al2, nodejs18.x, nodejs16.x, nodejs14.x, python3.10, python3.9, python3.8, python3.7, ruby3.2, ruby2.7
This control checks that the AWS Lambda function settings for runtimes match the expected values set for the supported runtimes for each language. The control checks function settings for the runtimes noted previously under parameters. The control fails if a Lambda function doesn't use a supported runtime.
The AWS Config rule ignores functions that have a package type of Image
.
Lambda runtimes are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When a runtime component is no longer supported for security updates, Lambda deprecates the runtime. Even though you cannot create functions that use the deprecated runtime, the function is still available to process invocation events. Make sure that your Lambda functions are current and do not use out-of-date runtime environments.
To learn more about the supported runtimes that this control checks for the supported languages, see AWS Lambda runtimes in the AWS Lambda Developer Guide.
Remediation
For more information about supported runtimes and deprecation schedules, see Runtime deprecation policy in the AWS Lambda Developer Guide. When you migrate your runtimes to the latest version, follow the syntax and guidance from the publishers of the language.
[Lambda.3] Lambda functions should be in a VPC
Related requirements: PCI DSS v3.2.1/1.2.1, PCI DSS v3.2.1/1.3.1, PCI DSS v3.2.1/1.3.2, PCI DSS v3.2.1/1.3.4, NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9)
Severity: Low
Resource type:
AWS::Lambda::Function
AWS Config rule:
lambda-inside-vpc
Schedule type: Change triggered
Parameters: None
This control checks whether a Lambda function is in a VPC. You might see failed findings for Lambda@Edge resources.
It does not evaluate the VPC subnet routing configuration to determine public reachability.
Remediation
To configure an existing function to connect to private subnets in your VPC, see Configuring VPC access in the AWS Lambda Developer Guide. We recommend choosing at least two private subnets for high availability and at least one security group that meets the connectivity requirements of the function.
[Lambda.5] VPC Lambda functions should operate in more than one Availability Zone
Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5)
Category: Recover > Resilience > High Availability
Severity: Medium
Resource type:
AWS::Lambda::Function
AWS Config rule:
lambda-vpc-multi-az-check
Schedule type: Change triggered
Parameters: None
This control checks if a Lambda function that connects to a virtual private cloud (VPC) is associated with more than one Availability Zone (AZ). The control fails if only one AZ is associated with the function.
Deploying resources across multiple AZs is an AWS best practice to ensure high availability within your architecture. Availability is a core pillar in the confidentiality, integrity, and availability triad security model. All Lambda functions that connect to a VPC should have a multi-AZ deployment to ensure that a single zone of failure does not cause a total disruption of operations.
Remediation
If you configure your function to connect to a VPC in your account, specify subnets in multiple AZs to ensure high availability. For instructions, see Configuring VPC access in the AWS Lambda Developer Guide.
Lambda automatically runs other functions in multiple AZs to ensure that it is available to process events in case of a service interruption in a single zone.