Control: 6 GuardDuty Lambda Protection should be enabled
Description
This control checks whether GuardDuty Lambda Protection is enabled. For a standalone account, the control fails if GuardDuty Lambda Protection is disabled in the account. In a multi-account environment, the control fails if the delegated GuardDuty administrator account and all member accounts don't have Lambda Protection enabled.
In a multi-account environment, the control generates findings in only the delegated GuardDuty administrator account. Only the delegated administrator can enable or disable the Lambda Protection feature for the member accounts in the organization. GuardDuty member accounts can't modify this configuration from their accounts. This control generates FAILED findings if the delegated GuardDuty administrator has a suspended member account that doesn't have GuardDuty Lambda Protection enabled. To receive a PASSED finding, the delegated administrator must disassociate these suspended accounts in GuardDuty.
GuardDuty Lambda Protection helps you identify potential security threats when an AWS Lambda function gets invoked. After your enable Lambda Protection, GuardDuty starts monitoring Lambda network activity logs associated with the Lambda functions in your AWS account. When a Lambda function gets invoked and GuardDuty identifies suspicious network traffic that indicates the presence of a potentially malicious piece of code in your Lambda function, GuardDuty generates a finding.
Remediation
To enable GuardDuty Lambda Protection, see Configuring Lambda Protection in the Amazon GuardDuty User Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_guardduty_6
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_guardduty_6 --share
SQL
This control uses a named query:
with lambda_protection as ( select arn from aws_guardduty_detector, jsonb_array_elements(features) as f where f ->> 'Name' = 'LAMBDA_NETWORK_LOGS' and f ->> 'Status' = 'ENABLED')select d.arn as resource, case when m.arn is not null then 'ok' else 'alarm' end as status, else title || ' has Lambda protection disabled.' end as reason , region, account_idfrom aws_guardduty_detector as d left join lambda_protection as m on m.arn = d.arn