AWS Lambda

Best practice rules for AWS Lambda

Trend Micro Cloud One™ – Conformity monitors AWS Lambda with the following rules:

• Enable Active Tracing

  Ensure that tracing (i.e. Lambda support for Amazon X-Ray service) is enabled for your Lambda functions.

• Enable Code Signing

  Ensure that Code Signing is enabled for Amazon Lambda functions.

• Enable Dead Letter Queue for Lambda Functions

  Ensure there is a Dead Letter Queue configured for each Lambda function available in your AWS account.

• Enable Encryption at Rest for Environment Variables using Customer Master Keys

  Ensure that Lambda environment variables are encrypted at rest with Customer Master Keys (CMKs) to gain full control over data encryption/decryption.

• Enable Encryption in Transit for Environment Variables

  Ensure that encryption in transit is enabled for the Lambda environment variables that store sensitive information.

• Enable Enhanced Monitoring for Lambda Functions

  Ensure that your Amazon Lambda functions are configured to use enhanced monitoring.

• Function Exposed

  Ensure that your Amazon Lambda functions are not exposed to everyone.

• Lambda Function With Admin Privileges

  Ensure no Lambda function available in your AWS account has admin privileges.

• Lambda Runtime Environment Version

  Ensure that the latest version of the runtime environment is used for your AWS Lambda functions.

• Unknown Cross-Account Access

  Ensure AWS Lambda functions do not allow unknown cross account access via permission policies.

• Using An IAM Role For More Than One Lambda Function

  Ensure that Lambda functions don't share the same IAM execution role.

• VPC Access for AWS Lambda Functions

  Ensure AWS Lambda functions are configured to access resources in a Virtual Private Cloud (VPC).