Benchmark: 4 Lambda
Lambda
Serverless, event-driven compute service that lets you run code for virtually any type of application or backend service without provisioning or managing servers. Serverless addresses some of today’s biggest security concerns as it removes infrastructure management tasks, such as operating system patching, updating binaries, etc. Although the attack surface is reduced compared to non-serverless architectures, the Open Web Application Security Project (OWASP) and application security best practices still apply.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 4 Lambda.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.cis_compute_service_v100_4Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.cis_compute_service_v100_4 --shareControls
- 4.1 Ensure AWS Config is enabled for Lambda and serverless
- 4.2 Ensure Cloudwatch Lambda insights is enabled
- 4.3 Ensure AWS Secrets manager is configured and being used by Lambda for databases
- 4.4 Ensure least privilege is used with Lambda function access
- 4.5 Ensure every Lambda function has its own IAM Role
- 4.6 Ensure Lambda functions are not exposed to everyone
- 4.7 Ensure Lambda functions are referencing active execution
- 4.8 Ensure that Code Signing is enabled for Lambda functions
- 4.9 Ensure there are no Lambda functions with admin privileges within your AWS account
- 4.10 Ensure Lambda functions do not allow unknown cross account access via permission policies
- 4.11 Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates
- 4.12 Ensure encryption in transit is enabled for Lambda environment variables