Best practice rules for AWS Lambda
- Check Lambda Function URL Not in Use
Check your Amazon Lambda functions are not using function URLs.
- Check for Missing Execution Role
Ensure that Amazon Lambda functions are referencing active execution roles.
- Enable Code Signing
Ensure that Code Signing is enabled for Amazon Lambda functions.
- Enable Dead Letter Queue for Lambda Functions
Ensure there is a Dead Letter Queue configured for each Lambda function available in your AWS account.
- Enable Encryption at Rest for Environment Variables using Customer Master Keys
Ensure that Lambda environment variables are encrypted at rest with Customer Master Keys (CMKs) to gain full control over data encryption/decryption
- Enable Encryption in Transit for Environment Variables
Ensure that encryption in transit is enabled for the Lambda environment variables that store sensitive information.
- Enable Encryption in Transit for Environment Variables
Ensure that encryption in transit is enabled for the Lambda environment variables that store sensitive information.
- Enable Enhanced Monitoring for Lambda Functions
Ensure that your Amazon Lambda functions are configured to use enhanced monitoring.
- Enable IAM Authentication for Lambda Function URLs
Ensure that IAM authorization is enabled for your Lambda function URLs.
- Enable and Configure Provisioned Concurrency
Ensure that your Amazon Lambda functions are configured to use provisioned concurrency.
- Enable and Configure Reserved Concurrency
Ensure that your Amazon Lambda functions are configured to use reserved concurrency.
- Function Exposed
Ensure that your Amazon Lambda functions aren't exposed to everyone.
- Function in Private Subnet
Ensure that your Amazon Lambda functions are configured to use private subnets.
- Lambda Cross Account Access
Ensure AWS Lambda functions don't allow unknown cross account access via permission policies.
- Lambda Function Execution Roles with Inline Policies
Ensure that IAM execution roles configured for Lambda functions are not using inline policies.
- Lambda Function With Admin Privileges
Ensure no Lambda function available in your AWS account has admin privileges.
- Lambda Functions Should not Share Roles that Contain Admin Privileges
Ensure that Amazon Lambda functions don't share roles that have admin privileges.
- Lambda Using Latest Runtime Environment
Ensure that the latest version of the runtime environment is used for your AWS Lambda functions.
- Lambda Using Supported Runtime Environment
Ensure the AWS Lambda function runtime version is currently supported.
- Tracing Enabled
Ensure that tracing (Lambda support for Amazon X-Ray service) is enabled for your AWS Lambda functions.
- Use AWS-Managed Policies for Lambda Function Execution Roles
Ensure that IAM execution roles configured for Lambda functions are using AWS-managed policies.
- Use Customer-Managed Policies for Lambda Function Execution Roles
Ensure that IAM execution roles configured for Lambda functions are using customer-managed policies.
- Using An IAM Role For More Than One Lambda Function
Ensure that Lambda functions don't share the same IAM execution role.
- VPC Access for AWS Lambda Functions
Ensure that your Amazon Lambda functions have access to VPC-only resources.