Best practice rules for AWS Lambda
Trend Micro Cloud One™ – Conformity monitors AWS Lambda with the following rules:
- Check for Exposed Lambda Functions
Ensure that your Amazon Lambda functions are not exposed to everyone.
- Check for Missing Execution Role
Ensure that Amazon Lambda functions are referencing active execution roles.
- Enable Active Tracing
Ensure that tracing (i.e. Lambda support for Amazon X-Ray service) is enabled for your Lambda functions.
- Enable Code Signing
Ensure that Code Signing is enabled for Amazon Lambda functions.
- Enable Dead Letter Queue for Lambda Functions
Ensure there is a Dead Letter Queue configured for each Lambda function available in your AWS account.
- Enable Encryption at Rest for Environment Variables using Customer Master Keys
Ensure that Lambda environment variables are encrypted at rest with Customer Master Keys (CMKs) to gain full control over data encryption/decryption.
- Enable Encryption in Transit for Environment Variables
Ensure that encryption in transit is enabled for the Lambda environment variables that store sensitive information.
- Enable Enhanced Monitoring for Lambda Functions
Ensure that your Amazon Lambda functions are configured to use enhanced monitoring.
- Enable VPC Access for Lambda Functions
Ensure that Lambda functions are configured to access resources available in a Virtual Private Cloud.
- EnableProvisionedConcurrency
Ensure that your Amazon Lambda functions are configured to use provisioned concurrency.
- Functions with Admin Privileges
Ensure there are no Lambda functions with admin privileges within your AWS account.
- Lambda Runtime Environment Version
Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates.
- Unknown Cross-Account Access
Ensure AWS Lambda functions do not allow unknown cross account access via permission policies.
- Using An IAM Role For More Than One Lambda Function
Ensure that Lambda functions don't share the same IAM execution role.