-
Notifications
You must be signed in to change notification settings - Fork 0
AWS Lambda Security Best Practices
Security is one of the most important aspects of using AWS Lambda. When you create a Lambda function, you are responsible for ensuring that the function is secure.
You can get a playbook on how to respond to security incidents in Cloud and Container environments here.
AWS Lambda lets you run code without having to manage or provision servers. You simply upload your code, and Lambda takes care of the rest. Lambda executes your code in response to events, such as changes to data in Amazon S3, or in response to HTTP requests.
Lambda logs can be really helpful for debugging purposes. By default, Lambda does not log anything. In this blog post, we will show you how to enable logging for your Lambda functions.
The first step is to create a new Lambda function.
In the function editor, select "Create new function" and then select "Blank Function".
In the "Handler" field, enter "logging.lambda_handler".
In the "Role" field, select "Create a new role from one of your existing AWS roles".
Click "Create function".
The next step is to create a new role for your Lambda function.
In the "Role" field, select "Create a new role from one of your existing AWS roles".
Click "Create role".
Select "AWS Lambda" from the list of services.
Click "Next: Permissions".
Click "Add inline policy".
In the "Policy document" field, enter the following policy document.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:::*" } ] }
Click "Next: Review".
Click "Create role".
The next step is to configure your Lambda function to use the new role.
In the "Role" field, select the role that you just created.
Click "Next: Tags".
Click "Add tag".
In the "Key" field, enter "Logging".
In the "Value" field, enter "Enabled".
Click "Next: Advanced Settings".
In the "Timeout" field, enter "10".
In the "Memory" field, enter "128".
Click "Next: Review".
Click "Create function".
Your Lambda function is now configured to log to Amazon CloudWatch.
In the "Logging" tab, you should see that "Logging is enabled".
To test your Lambda function, you can use the "Test" button.
In the "Input" field, enter the following JSON document.
{ "message": "Hello, world!" }
Click "Execute".
You should see the following log output.
2016-11-24T23:27:16.898Z INFO Request received for function logging.lambda_handler 2016-11-24T23:27:16.901Z INFO Enqueuing event: { "message": "Hello, world!" } 2016-11-24T23:27:16.902Z INFO Lambda function logging.lambda_handler started successfully 2016-11-24T23:27:17.036Z INFO Successfully completed event: { "message": "Hello, world!" }
As you can see, the log output includes the time, the function that was executed, the event that was executed, and the output of the function.
IAM is a web service that helps you securely manage access to AWS services and resources for your users. You can use IAM to create and manage users and groups, and to control which AWS resources they can access.
AWS Lambda is a compute service that lets you run code without provisioning or managing servers. With Lambda, you can run code for virtually any type of application or backend service. You can also use Lambda to create and manage AWS resources, such as Amazon DynamoDB tables, Amazon S3 buckets, and Amazon Elastic Compute Cloud (Amazon EC2) instances.
In this blog post, we will show you how to set up IAM with AWS Lambda. We will create a user and group, and then we will give the user permission to create and manage DynamoDB tables. We will also give the user permission to run code on Lambda.
To get started, sign in to the AWS Management Console and open the IAM console.
The first thing we need to do is create a user. Click the Users tab, and then click the Create User button.
Enter the following information about the user:
User name: admin
User type: IAM user
Access type: AWS Management Console
Click the Next button.
On the next page, we need to create a group for the user. Click the Add group button, and then enter the following information:
Group name: admin
Group type: IAM group
Click the Next button.
On the next page, we need to add the user to the group. Click the Add users to group button, and then click the check box next to the user name.
Click the Next button.
On the next page, we need to assign permissions to the user. We will give the user permission to create and manage DynamoDB tables, and we will also give the user permission to run code on Lambda.
Click the Permissions tab, and then click the Edit permissions button.
In the Permissions pane, click the check box next to the DynamoDb and Lambda policies.
Click the Save button.
The user is now ready to use IAM with AWS Lambda.
- Use a strong password for your IAM account
When you create an account in AWS, you are prompted to create a password. This password is used to secure the function's code and environment. Be sure to use a strong password that is difficult to guess.
- Restrict access to your Lambda functions.
By default, all AWS users have access to all Lambda functions. However, you can restrict access to specific Lambda functions by assigning IAM roles to them. You can also create a custom IAM policy that allows only specific users to access a Lambda function.
- Use security best practices when coding your Lambda functions.
When coding your Lambda functions, be sure to use security best practices. This includes using proper authentication and authorization techniques, encrypting sensitive data, and verifying the integrity of data before processing it.
- Use a VPC for your Lambda functions.
If you want to restrict access to your Lambda functions, you can use a VPC. By default, all Lambda functions are created in a default VPC. However, you can create a custom VPC for your Lambda functions. This will allow you to control who has access to the functions and what resources they can access.
- Use AWS Shield.
AWS Shield is a service that helps protect your AWS applications from DDoS attacks. Lambda functions can be protected by AWS Shield Standard or AWS Shield Advanced. AWS Shield Standard is included in all AWS accounts and provides protection against most common DDoS attacks. AWS Shield Advanced is a paid service that provides protection against more sophisticated DDoS attacks.
- Use AWS WAF.
AWS WAF is a web application firewall that helps protect your web applications from malicious traffic. Lambda functions can be protected by AWS WAF. AWS WAF is a paid service that is included in the AWS WAF Regional add-on.
- Use AWS CloudTrail.
AWS CloudTrail is a service that records all API activity in your AWS account. This includes activity by Lambda functions. You can use AWS CloudTrail to track which users are accessing your Lambda functions, what actions they are taking, and what resources they are accessing. AWS CloudTrail is a free service.