AWS Lambda
      Back to home
      1. Knowledge Base
      2. AWS Knowledge Base
      3. AWS Lambda

      Lambda Without IAM Roles

      This plugin makes sure that no Lambda function in your AWS account is missing an IAM role.

      Risk Level:  High

      Description:

      This plugin makes sure that no Lambda function in your AWS account is missing an IAM role. For Lambda security best practices, AWS Lambda Functions should have the highest restrictive IAM permissions.

      About the Service:

      AWS Lambda is a serverless compute service that allows you to run code without having to provision or manage servers, create workload-aware cluster scaling logic, keep event integrations up to date, or manage runtimes. You can use Lambda to run code for almost any form of application or backend service, and you don't have to worry about managing it. Simply upload your code as a ZIP file or container image, and Lambda will automatically and precisely assign compute execution power and run your code in response to incoming requests or events, at any scale.

      Impact: 

      In the absence of an IAM role associated with Lambda functions, there may be problems with the privileges of the users which can result in the compromise of the service.

      Hence, to avoid any such compromise or any such impacts IAM roles associated with Lambda function should be monitored. 

      Steps to reproduce :

      1. Sign in to your AWS console.
      2. Navigate to the Lambda dashboard at: https://console.aws.amazon.com/lambda/.  
      3. Select the Function you want to examine and visit its configuration page.
      4. Select the “ Configuration ” tab to view its setting panel.
      5. Click on the “ Edit ” button of the “ Execution Role ” panel.
      6. Scroll down to the Existing role dropdown list and check if the function has an existing IAM role selected for it from the dropdown list.

      Steps for remediation :

      Attach the IAM role to the Lambda function to provide the minimal amount of access required to perform its tasks.

      1. Sign in to your AWS console.
      2. Navigate to the Lambda dashboard at: https://console.aws.amazon.com/lambda/.
      3. Select the Function you want to examine and visit its configuration page.
      4. Select the “ Configuration ” tab to view its setting panel.
      5. Click on the “ Edit ” button of the “ Execution Role ” panel.
      6. Scroll down to the Existing role dropdown list and check if the function has an existing IAM role selected for it from the dropdown list.
      7. If not, choose a suitable IAM role for the function from the “ Existing Role ” drop-down list. 
         

       

      References: