Ensure that your Amazon Lambda functions do not share the same AWS IAM execution role in order to promote the Principle of Least Privilege (POLP) by providing each individual function the minimal amount of access required to perform its tasks. There should be always a one-to-one relationship between your AWS Lambda functions and their IAM roles, meaning that each Lambda function should have its own IAM execution role, therefore this role should not be shared between functions.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
The permissions assumed by an AWS Lambda function are determined by the IAM execution role associated with the function. Using this IAM role with more than one Lambda function will violate the Principle of Least Privilege. With the right IAM execution role you can control the privileges that your Lambda function has, thus instead of providing full or generic permissions you should grant each execution the permissions that your function really needs.
To identify any AWS Lambda functions that share the same IAM role, perform the following:
To implement the Principle of Least Privilege and create a separate IAM role (with the right set of permissions) for each individual Lambda function, perform the following: