Best practice rules for AWS Lambda
Trend Micro Cloud One™ – Conformity monitors AWS Lambda with the following rules:
- Enable Code Signing for Lambda Functions
Ensure that Code Signing is enabled for your Amazon Lambda functions.
- Enable Encryption for Lambda Environment Variables
Ensure encryption is enabled for the AWS Lambda environment variables that store sensitive information.
- Enable Enhanced Monitoring for Lambda Functions
Ensure that your Amazon Lambda functions are configured to use enhanced monitoring.
- Function Exposed
Ensure that your Amazon Lambda functions are not exposed to everyone.
- Lambda Cross Account Access
Ensure AWS Lambda functions do not allow unknown cross account access via permission policies.
- Lambda Function With Admin Privileges
Ensure no Lambda function available in your AWS account has admin privileges.
- Lambda Runtime Environment Version
Ensure that the latest version of the runtime environment is used for your AWS Lambda functions.
- Lambda Tracing Enabled
Ensure that tracing (i.e. Lambda support for Amazon X-Ray service) is enabled for your AWS Lambda functions.
- Use AWS KMS Customer Master Keys for Lambda Environment Variables Encryption
Ensure Lambda environment variables are encrypted with KMS Customer Master Keys (CMKs) to gain full control over data encryption and decryption.
- Using An IAM Role For More Than One Lambda Function
Ensure AWS Lambda functions do not share the same IAM execution role.
- VPC Access for AWS Lambda Functions
Ensure AWS Lambda functions are configured to access resources in a Virtual Private Cloud (VPC).