Control: 4.5 Ensure every Lambda function has its own IAM Role
Description
Every Lambda function should have a one to one IAM execution role and the roles should not be shared between functions.
The Principle of Least Privilege means that any Lambda function should have the minimal amount of access required to perform its tasks. In order to accomplish this Lambda functions should not share IAM Execution roles.
Remediation
From the Console:
- Login to the AWS console using https://console.aws.amazon.com/lambda/.
- In the left column, under
AWS Lambda
, clickFunctions
. - Under
Function name
click on the name of the function that you want to change/update. - Click the
Configuration
tab. - Under General configuration on the left column, click
Permissions
. - Under the
Execution role
section, clickEdit
. - Scroll down to
Execution role
.
To use an existing IAM role
- Click `Use an existing role`- Select the role from the `Existing role` dropdown.- The IAM role can't be associated with another Lambda function and must follow the Principle of Least Privilege.
To use a new IAM role
- Click `Create a new role from AWS policy templates`- Provide a unique name based on company policy in the `Role name`- Select the policy templates from the `Policy templates` dropdown.
- Click Save.
- Repeat steps 2 – 8 for all the Lambda functions listed within the AWS region that do not have a unique IAM Execution Role.
- Repeat this remediation process for all the AWS Regions.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_compute_service_v100_4_5
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_compute_service_v100_4_5 --share
SQL
This control uses a named query:
manual_control