Control: 4.1 Ensure AWS Config is enabled for Lambda and serverless
Description
With AWS Config, you can track configuration changes to the Lambda functions (including deleted functions), runtime environments, tags, handler name, code size, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations.
This gives you a holistic view of the Lambda function’s lifecycle and enables you to surface that data for potential audit and compliance requirements.
Remediation
From the Console:
- Login to AWS Console using https://console.aws.amazon.com.
- Click
All services, clickConfigunder Management & Governance. - This will open up the Config dashboard.
- Click
Conformance packs. - Click on
Deploy conformance pack. - Click on
Use sample template. - Click the down arrow under Sample template.
- Scroll down and click on Operational Best Practices for Serverless.
- Click Next.
- Give it a Conformance pack name
Serverless. - Click Next.
- Click
Deploy conformance pack. - Click on
Deploy conformance pack. - Click on
Use sample template. - Click the down arrow under Sample template.
- Scroll down and click on Security Best Practices for Lambda.
- Click Next.
- Give it a Conformance pack name
LambaSecurity. - Click Next.
- Click
Deploy conformance pack. - Repeat steps 2-20 for all regions used.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_compute_service_v100_4_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_compute_service_v100_4_1 --shareSQL
This control uses a named query:
select 'arn:' || partition || ':::' || account_id as resource, 'info' as status, 'Manual verification required.' as reason , account_idfrom aws_account;