Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Check for Missing Execution Role

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Amazon Lambda functions are associated with active (available) execution roles in order to have permissions to access required AWS services and resources.

This rule can help you work with the AWS Well-Architected Framework.

Operational
excellence

A Lambda function's execution role is an AWS Identity and Access Management (IAM) role that grants the function permission to access specific AWS services and resources. For example, you can attach an execution role for development purposes that has permission to send logs to Amazon CloudWatch Logs, to upload trace data to AWS X-Ray, or to read events from an Amazon Kinesis data stream or consumer. When your Amazon Lambda functions are not referencing active execution roles anymore, the functions are losing the ability to perform important operations.


Audit

To determine if your Amazon Lambda functions are referencing active execution roles, perform the following operations:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the Lambda function that you want to examine.

05 Select the Permissions tab to access the permissions defined for the selected Lambda resource.

06 In the Resource summary section, check the access permission granted through the execution role associated with the selected function. If there are no permissions listed in this section, instead the following 404 Not Found error message is displayed: "The role with name <role-name> cannot be found.", the execution role associated with the selected Amazon Lambda function is no longer available, therefore the function's capability to access other AWS services and resources is disabled.

07 Repeat steps no. 4 – 6 for other Lambda functions created within the current AWS cloud region.

08 Change the AWS region from the navigation bar and repeat the audit process for the other regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the name of each Amazon Lambda function available in the selected AWS cloud region:

aws lambda list-functions
  --region us-east-1
  --output table
  --query 'Functions[*].FunctionName'

02 The command output should return a table with the requested function name(s):

---------------------------------
|         ListFunctions         |
+-------------------------------+
|  cc-process-stream-function   |
|  cc-dynamo-exporter-function  |
+-------------------------------+

03 Run get-function command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to examine as the identifier parameter, to describe the Amazon Resource Name (ARN) of the execution role associated with the selected function:

aws lambda get-function
  --region us-east-1
  --function-name cc-process-stream-function
  --query 'Configuration.Role'

04 The command output should return the execution role ARN. The Amazon Resource Name (ARN) includes the role name, e.g. "cc-lambda-stream-execution-role":

"arn:aws:iam::123456789012:role/service-role/cc-lambda-stream-execution-role"

05 Run get-role command (OSX/Linux/UNIX) using the name of the associated execution role associated with the selected Lambda function as the identifier parameter, to retrieve information about the specified IAM role:

aws iam get-role
  --role-name cc-lambda-stream-execution-role

06 The command output should return the requested resource configuration information:

An error occurred (NoSuchEntity) when calling the GetRole operation: The role with name cc-lambda-stream-execution-role cannot be found.

If the get-role command output returns a NoSuchEntity error message instead of the role's information, as shown in the output example above, the execution role associated with the selected Amazon Lambda function is no longer available, therefore the function's capability to access other AWS services and resources is disabled.

07 Repeat steps no. 3 – 6 for other Lambda functions available in the selected AWS cloud region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 7 to perform the entire audit process for other regions.

Remediation / Resolution

To reconfigure any Amazon Lambda functions associated with missing AWS IAM roles, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"FunctionExecutionRole": {
			"Type": "AWS::IAM::Role",
			"Properties": {
				"RoleName": "LambdaExecutionRole",
				"AssumeRolePolicyDocument": {
					"Version": "2012-10-17",
					"Statement": [
						{
							"Effect": "Allow",
							"Principal": {
								"Service": [
									"lambda.amazonaws.com"
								]
							},
							"Action": [
								"sts:AssumeRole"
							]
						}
					]
				},
				"Path": "/",
				"Policies": [
					{
						"PolicyName": "AWSLambdaBasicExecutionRole",
						"PolicyDocument": {
							"Version": "2012-10-17",
							"Statement": [
								{
									"Effect": "Allow",
									"Action": [
										"logs:CreateLogGroup",
										"logs:CreateLogStream",
										"logs:PutLogEvents",
										"ec2:DescribeNetworkInterfaces",
										"ec2:CreateNetworkInterface",
										"ec2:DeleteNetworkInterface",
										"ec2:DescribeInstances",
										"ec2:AttachNetworkInterface"
									],
									"Resource": "*"
								}
							]
						}
					}
				]
			}
		},
		"LambdaFunction": {
			"Type": "AWS::Lambda::Function",
			"Properties": {
				"FunctionName": "cc-app-worker-function",
				"Handler": "lambda_function.lambda_handler",
				"Code": {
					"S3Bucket": "cc-lambda-functions",
					"S3Key": "worker.zip"
				},
				"Runtime": "python3.9",
				"MemorySize": 1024,
				"Timeout": 45,
				"VpcConfig": {
					"SecurityGroupIds": [
						"sg-0abcd1234abcd1234"
					],
					"SubnetIds": [
						"subnet-abcd1234",
						"subnet-1234abcd"
					]
				},
				"Role": {
					"Fn::GetAtt": ["FunctionExecutionRole", "Arn"]
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	FunctionExecutionRole:
		Type: AWS::IAM::Role
		Properties:
		RoleName: LambdaExecutionRole
		AssumeRolePolicyDocument:
			Version: '2012-10-17'
			Statement:
			- Effect: Allow
				Principal:
				Service:
					- lambda.amazonaws.com
				Action:
				- sts:AssumeRole
		Path: /
		Policies:
			- PolicyName: AWSLambdaBasicExecutionRole
			PolicyDocument:
				Version: '2012-10-17'
				Statement:
				- Effect: Allow
					Action:
					- logs:CreateLogGroup
					- logs:CreateLogStream
					- logs:PutLogEvents
					- ec2:DescribeNetworkInterfaces
					- ec2:CreateNetworkInterface
					- ec2:DeleteNetworkInterface
					- ec2:DescribeInstances
					- ec2:AttachNetworkInterface
					Resource: '*'
	LambdaFunction:
		Type: AWS::Lambda::Function
		Properties:
		FunctionName: cc-app-worker-function
		Handler: lambda_function.lambda_handler
		Code:
			S3Bucket: cc-lambda-functions
			S3Key: worker.zip
		Runtime: python3.9
		MemorySize: 1024
		Timeout: 45
		VpcConfig:
			SecurityGroupIds:
			- sg-0abcd1234abcd1234
			SubnetIds:
			- subnet-abcd1234
			- subnet-1234abcd
		Role: !GetAtt 'FunctionExecutionRole.Arn'

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_iam_role" "lambda-execution-role" {
	name = "LambdaExecutionRole"
	path = "/"
	managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]

	assume_role_policy = <<EOF
	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Action": "sts:AssumeRole",
				"Principal": {
				"Service": "lambda.amazonaws.com"
				},
				"Effect": "Allow"
			}
		]
	}
	EOF
}

resource "aws_lambda_function" "lambda-function" {
	function_name    = "cc-app-worker-function"
	s3_bucket        = "cc-lambda-functions"
	s3_key           = "worker.zip" 
	handler          = "lambda_function.lambda_handler"
	runtime          = "python3.9"
	memory_size      = 1024
	timeout          = 45   
	vpc_config {
		subnet_ids         = [ "subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234" ]
		security_group_ids = [ "sg-0abcd1234abcd1234" ]
	}
	role = aws_iam_role.lambda-execution-role.arn
}

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the Lambda function that you want to reconfigure.

05 Select the Permissions tab to access the permissions defined for the selected Lambda resource.

06 In the Execution role section, choose Edit to change the role that defines the permissions for the selected function.

07 On the Edit basic settings configuration**page, perform the following actions:

  1. Choose Use an existing role if you have already an existing execution role created for the selected function. Select the required IAM role from the Existing role dropdown list.
  2. Choose Create a new role from AWS policy templates to create a new execution role for the selected Amazon Lambda function. Provide a unique name for the new role in the Role name box and select one or more policy templates from the Policy templates dropdown list. If you don't choose any policy templates, the execution role that the Amazon Lambda console creates has only permission to store logs in Amazon CloudWatch Logs. Some features such as X-Ray tracing require additional permissions. Based on your function's access requirements, select the necessary permission sets from the Policy templates dropdown list.
  3. Choose Save to apply the changes. The execution role creation might take a few minutes.

08 Repeat steps no. 4 – 7 to change the execution role for other Amazon Lambda functions available within the current AWS region.

09 Change the AWS region from the navigation bar and repeat the remediation process for the other regions.

Using AWS CLI

01 Define the trust relationship policy for the execution role. This trust policy allows Amazon Lambda to use the role's permissions by giving the service principal "lambda.amazonaws.com" permission to call the AWS Security Token Service "AssumeRole" action. To create the required trust policy for the new role, save the following policy document to a JSON file named cc-role-trust-policy.json:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"Service": "lambda.amazonaws.com"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

02 Run create-role command (OSX/Linux/UNIX) to create the necessary execution role using the trust relationship policy defined at the previous step:

aws iam create-role
  --role-name cc-lambda-stream-new-execution-role
  --assume-role-policy-document file://cc-role-trust-policy.json

03 The command output should return the metadata available for the new IAM role:

{
	"Role": {
		"AssumeRolePolicyDocument": {
			"Version": "2012-10-17",
			"Statement": [
				{
					"Action": "sts:AssumeRole",
					"Effect": "Allow",
					"Principal": {
						"Service": "lambda.amazonaws.com"
					}
				}
			]
		},
		"RoleId": "AAAABBBBCCCCDDDDEEEE",
		"CreateDate": "2021-01-25T10:00:00Z",
		"RoleName": "cc-lambda-stream-new-execution-role",
		"Path": "/",
		"Arn": "arn:aws:iam::123456789012:role/cc-lambda-stream-new-execution-role"
	}
}

04 The following AWS managed policies provide permissions that are required to use Amazon Lambda features:

  • "AWSLambdaBasicExecutionRole" – permission to upload logs to Amazon CloudWatch Logs.
  • "AWSLambdaDynamoDBExecutionRole" – permission to read records from an Amazon DynamoDB stream.
  • "AWSLambdaKinesisExecutionRole" – permission to read events from an Amazon Kinesis data stream or consumer.
  • "AWSLambdaMQExecutionRole" – permission to read records from an Amazon MQ broker.
  • "AWSLambdaMSKExecutionRole" – permission to read records from an Amazon Managed Streaming for Apache Kafka (Amazon MSK) cluster.
  • "AWSLambdaSQSQueueExecutionRole" – permission to read a message from an Amazon Simple Queue Service (Amazon SQS) queue.
  • "AWSLambdaVPCAccessExecutionRole" – permission to manage elastic network interfaces to connect your function to a virtual private cloud (VPC).
  • "AWSXRayDaemonWriteAccess" – permission to upload trace data to X-Ray.
  • "CloudWatchLambdaInsightsExecutionRolePolicy" – permission to write runtime metrics to CloudWatch Lambda Insights.

05 Run attach-role-policy command (OSX/Linux/UNIX) to attach the required AWS-managed policy to the newly created execution role. Based on your function's access requirements, choose the necessary policy from the list of managed policies presented at the previous step. In the following command request example, the "AWSLambdaBasicExecutionRole" managed policy provides permission to upload Amazon Lambda function logs to Amazon CloudWatch Logs (the command does not produce an output):

aws iam attach-role-policy
  --role-name cc-lambda-stream-new-execution-role
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

06 Run update-function-configuration command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to reconfigure as the identifier parameter, to replace the missing execution role with the new role created and configured at the previous steps:

aws lambda update-function-configuration
  --region us-east-1
  --function-name cc-process-stream-function
  --role arn:aws:iam::123456789012:role/cc-lambda-stream-new-execution-role

07 The command output should return the metadata available for the reconfigured function:

{
	"LastUpdateStatus": "Successful",
	"FunctionName": "cc-process-stream-function",
	"LastModified": "2021-01-25T10:00:00.000+0000",
	"RevisionId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
	"MemorySize": 128,
	"State": "Active",
	"Version": "$LATEST",
	"Role": "arn:aws:iam::123456789012:role/cc-lambda-stream-new-execution-role",
	"Timeout": 5,
	"Runtime": "nodejs12.x",
	"TracingConfig": {
		"Mode": "PassThrough"
	},
	"CodeSha256": "abcdabcdabcdabcdabcdabcdabcdabcdabcdabcd",
	"Description": "Custom Stream Function",
	"CodeSize": 403,
	"FunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:cc-process-stream-function",
	"Handler": "index.handler"
}

08 Repeat steps no. 6 and 7 to change the execution role for other Amazon Lambda functions deployed in the selected AWS cloud region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the remediation process for other regions.

References

Publication date Sep 12, 2021

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Check for Missing Execution Role

Risk Level: Medium