Open menu
-->

Using An IAM Role For More Than One Lambda Function

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (not acceptable risk)

Ensure that your Amazon Lambda functions do not share the same AWS IAM execution role in order to promote the Principle of Least Privilege (POLP) by providing each individual function the minimal amount of access required to perform its tasks. There should be always a one-to-one relationship between your AWS Lambda functions and their IAM roles, meaning that each Lambda function should have its own IAM execution role, therefore this role should not be shared between functions.

The permissions assumed by an AWS Lambda function are determined by the IAM execution role associated with the function. Using this IAM role with more than one Lambda function will violate the Principle of Least Privilege. With the right IAM execution role you can control the privileges that your Lambda function has, thus instead of providing full or generic permissions you should grant each execution the permissions that your function really needs.

Audit

To identify any AWS Lambda functions that share the same IAM role, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Lambda dashboard at https://console.aws.amazon.com/lambda/.

03 In the navigation panel, under AWS Lambda section, choose Functions.

04 Choose the Lambda function that you want to examine then click on the function name to access its configuration page.

05 Select the Configuration tab then click Execution role to expand the panel with IAM role that defines the permissions for the selected function.

06 Within Execution role section, check the name of the IAM role assigned to the selected function, available in the Existing role dropdown list.

07 Go back to the AWS Lambda Functions page and repeat steps no. 4 – 6 for the rest of the functions provisioned within the selected AWS region. If two or more Amazon Lambda functions share the same IAM execution role, the permissions configuration of your AWS Lambda functions available within the selected region violates the Principle of Least Privilege (POLP).

08 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the names of all AWS Lambda functions currently available in the selected region:

aws lambda list-functions
	--region us-east-1
	--query 'Functions[*].FunctionName'

02 The command output should return an array with the requested Lambda function names:

[
    "cc-publish-function",
    "cc-get-s3object-function"
]

03 Run get-function command (OSX/Linux/UNIX) using the name of the function that you want to examine as identifier to return the Amazon Resource Name (ARN) of the IAM role that Amazon Lambda assumes when it executes the selected function to access any other AWS resources:

aws lambda get-function
	--region us-east-1
	--function-name cc-publish-function
	--query 'Configuration.Role'

04 The command output should return the Amazon Resource Name (ARN) of the IAM execution role associated with the selected Lambda function:

"arn:aws:iam::123456789012:role/aws-lambda-admin-full-access"

05 Repeat step no. 3 and 4 for the rest of the functions available within the selected AWS region and compare the IAM role ARNs. If two or more Amazon Lambda functions share the same IAM execution role, the permissions configuration of your AWS Lambda functions available within the selected region defies the Principle of Least Privilege (POLP).

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To implement the Principle of Least Privilege and create a separate IAM role (with the right set of permissions) for each individual Lambda function, perform the following:

Using AWS CLI

01 Login to the AWS Management Console.

02 Navigate to Lambda dashboard at https://console.aws.amazon.com/lambda/.

03 In the navigation panel, under AWS Lambda section, choose Functions.

04 Choose the Lambda function that you want to reconfigure then click on the function name to access its configuration page.

05 Select the Configuration tab then click Execution role to expand the panel with IAM role that defines the permissions for the selected function.

06 Within Execution role section, perform one of the following actions:

  1. To apply an existing execution role, select Choose an existing role from the first dropdown list, then select the name of the existing IAM role from the second dropdown list. The chosen IAM role cannot be associated with another Lambda function and must adhere to the Principle of Least Privilege by providing only the access permissions required by the selected function.
  2. To apply a new execution role, built using Lambda policy templates, select Create new role from template(s) from the first dropdown list, enter a unique name for the IAM role within Role name box and select one of more templates from the Policy templates dropdown list.
  3. To apply a custom execution role, select Create a custom role from the dropdown list to redirect you to the AWS Lambda requires access to your resources page where you can create your own IAM execution role for the selected Lambda function. Once your new custom role is defined, click Allow to add the custom IAM role to the current function configuration.

07 Click the Save button from the dashboard top menu to update the function configuration and apply the individual IAM execution role.

08 Go back to the AWS Lambda Functions page and repeat steps no. 4 – 7 for the rest of the Amazon functions available in the selected AWS region. Make sure each Lambda function uses its own individual IAM execution role with the right set of permissions.

09 Change the AWS region from the navigation bar and repeat the entire process for the other regions.

Using AWS CLI

01 Define first the required trust relationship policy for the individual IAM execution role. To create the trust relationship policy for the function execution role, paste the following information into a new policy document named iam-execution-role-trust-policy.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

02 Run create-role command (OSX/Linux/UNIX) to create the required IAM execution role using the trust relationship policy defined at the previous step:

aws iam create-role
	--role-name cc-publish-execution-role
	--assume-role-policy-document file://iam-execution-role-trust-policy.json

03 The command output should return the metadata for the new IAM execution role:

{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "lambda.amazonaws.com"
                    }
                }
            ]
        },
        "RoleId": "AAAABBBBCCCCDDDDEEEEF",
        "CreateDate": "2017-11-18T18:33:57.544Z",
        "RoleName": "cc-publish-execution-role",
        "Path": "/",
        "Arn": "arn:aws:iam::123456789012:role/cc-publish-execution-role"
    }
}

04 Now define the necessary access policy for the newly created IAM role. The following example represents the required set of permissions that an AWS Lambda function can assume to publish SNS messages. To create the access policy for the IAM execution role, paste the following information into a new policy document named iam-execution-role-access-policy.json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:us-east-1:123456789012:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/cc-publish-function:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "sns:Publish"
            ],
            "Resource": "arn:aws:sns:*:*:*"
        }
    ]
}

05 Run put-role-policy command (OSX/Linux/UNIX) using the name of the IAM role created earlier to add the access policy defined at the previous step (the command does not produce an output):

aws iam put-role-policy
	--role-name cc-publish-execution-role
	--policy-name cc-publish-policy
	--policy-document file://iam-execution-role-access-policy.json

06 Run update-function-configuration command (OSX/Linux/UNIX) to replace the existing IAM execution role with the one created at step no. 2 by updating the configuration parameters for the selected Amazon Lambda function (see Audit section part II to identify the right resource). You can provide only the parameters that you want to change, in this case the --role parameter, that must have as value the ARN of the IAM role that Lambda will assume when it executes the function, returned at step no. 3. The following command example applies an execution role identified by the ARN "arn:aws:iam::123456789012:role/cc-publish-execution-role" to an AWS Lambda function named "cc-publish-function":

aws lambda update-function-configuration
	--region us-east-1
	--function-name cc-publish-function
	--role arn:aws:iam::123456789012:role/cc-publish-execution-role

07 The command output should return the configuration metadata for the selected AWS Lambda function:

{
    "TracingConfig": {
        "Mode": "PassThrough"
    },
    "FunctionName": "cc-publish-function",
    "CodeSize": 1870,
    "MemorySize": 128,
    "FunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:cc-publish-function",
    "Version": "$LATEST",
    "Role": "arn:aws:iam::123456789012:role/cc-publish-execution-role",
    "Timeout": 5,
    "LastModified": "2017-11-20T18:54:58.651+0000",
    "Handler": "index.handler",
    "Runtime": "nodejs6.10",
}

08 Repeat steps no. 1 – 7 for the rest of the Amazon functions available within the selected AWS region. Make sure each Lambda function uses its own individual IAM execution role with the right set of permissions to promote the Principle of Least Privilege.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 8 to perform the remediation/resolution process for other regions.

References

Publication date Dec 19, 2017