Best practice rules for AWS Lambda
Trend Micro Cloud One™ – Conformity monitors AWS Lambda with the following rules:
- Check for Exposed Lambda Functions
Ensure that your Amazon Lambda functions are not exposed to everyone.
- Enable Active Tracing
Ensure that tracing (i.e. Lambda support for Amazon X-Ray service) is enabled for your Lambda functions.
- Enable Code Signing
Ensure that Code Signing is enabled for Amazon Lambda functions.
- Enable Dead Letter Queue for Lambda Functions
Ensure there is a Dead Letter Queue configured for each Lambda function available in your AWS account.
- Enable Encryption at Rest for Environment Variables using Customer Master Keys
Ensure that Lambda environment variables are encrypted at rest with Customer Master Keys (CMKs) to gain full control over data encryption/decryption.
- Enable Encryption in Transit for Environment Variables
Ensure that encryption in transit is enabled for the Lambda environment variables that store sensitive information.
- Enable Enhanced Monitoring for Lambda Functions
Ensure that your Amazon Lambda functions are configured to use enhanced monitoring.
- Lambda Function With Admin Privileges
Ensure no Lambda function available in your AWS account has admin privileges.
- Lambda Runtime Environment Version
Ensure that the latest version of the runtime environment is used for your AWS Lambda functions.
- Unknown Cross-Account Access
Ensure AWS Lambda functions do not allow unknown cross account access via permission policies.
- Using An IAM Role For More Than One Lambda Function
Ensure that Lambda functions don't share the same IAM execution role.
- VPC Access for AWS Lambda Functions
Ensure AWS Lambda functions are configured to access resources in a Virtual Private Cloud (VPC).