Ensure that your Amazon Lambda functions do not share the same execution role in order to promote the Principle of Least Privilege (POLP) by providing each individual function the minimal amount of access required to perform its tasks. There should always be a one-to-one relationship between the Lambda functions and their execution roles, meaning that each Lambda function should have its own IAM execution role, therefore this role should not be shared between functions.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
The permissions assumed by an Amazon Lambda function are determined by the execution role associated with the function. Using this IAM role with more than one Lambda function will violate the Principle of Least Privilege. With the right IAM role, you can control the privileges that your Lambda function has, thus instead of providing full or generic permissions, you should grant each execution role the permissions that your function really needs.
To identify Amazon Lambda functions that share the same execution role, perform the following actions:
Remediation / Resolution
To implement the Principle of Least Privilege (POLP) and create a separate IAM role (with the right set of permissions) for each individual Amazon Lambda function, perform the following actions:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Using An IAM Role For More Than One Lambda Function
Risk level: High