• About Us
  • Contact Us

How to setup Security and compliance considerations when using AWS Lambda (Part 1)

AWS Lambda is a serverless computing service that enables you to run code without provisioning or managing servers. As with any other service, there are security and compliance considerations that you should take into account when using Lambda.

Some key security and compliance considerations when using Lambda include:

  1. Identity and access management (IAM): Use IAM roles to control access to your Lambda functions and the resources they access. This will ensure that your Lambda functions can only access the resources they need to, and nothing more.
  2. Encryption: Use encryption to protect the data and configuration of your Lambda functions and the resources they access. This will ensure that your data is protected in transit and at rest.
  3. Network security: Use security groups and network ACLs to control access to your Lambda functions and the resources they access. This will ensure that only authorized traffic can reach your functions and resources.
  4. Auditing and monitoring: Use CloudTrail, CloudWatch, and other logging and monitoring tools to track activity in your Lambda environment. This will help you detect and respond to security incidents and compliance violations.
  5. Compliance: AWS Lambda supports a number of compliance standards, such as SOC 2, PCI DSS, and HIPAA. Ensure that you follow the relevant compliance requirements when using Lambda.

When setting up security and compliance considerations for AWS Lambda, there are several key steps to take:

Use IAM roles for Lambda execution

Create an IAM role for your Lambda function that has the appropriate permissions to access other AWS resources. This will ensure that your Lambda function can only access the resources it needs to, and nothing more.

Using Management Console

Here are the steps to create an IAM role for your Lambda function and attach the appropriate permissions to it:

  1. Go to the IAM console in the AWS Management Console.
  2. Click on the “Roles” menu and then click on the “Create role” button.
  3. Select “Lambda” as the service that will use this role.
  4. Attach the policies that you want the role to have. You can either attach managed policies or create custom policies.
  5. Once you have finished attaching policies, review the role and give it a name and description.
  6. Click on the “Create role” button to create the role.
  7. Once the role is created, you can go to the Lambda function’s configuration page and attach the role to the function.
  8. When creating or updating the Lambda function, you can specify the IAM role to be used by the function.
  9. To add permissions to the role, you can update the policies attached to the role, or create new policies and attach them to the role.
  10. To ensure that your Lambda function can only access the resources it needs to, you should also implement resource-based policies in your S3 bucket and other resources, to restrict access to the files stored in the bucket and other resources, to only the IAM role attached to your Lambda function.
  11. Regularly review and audit the policies and permissions attached to the role to ensure that the role has only the required permissions and no more.

Using AWS CLI

Here are the steps to create an IAM role for your Lambda function and attach the appropriate permissions to it using the AWS CLI:

  1. Install and configure the AWS CLI on your local machine.
  2. Run the following command to create a new IAM role
aws iam create-role --role-name my-lambda-role --assume-role-policy-document file://path/to/assume_role_policy.json

3. Attach the policies that you want the role to have. You can either attach managed policies or create custom policies.

aws iam attach-role-policy --role-name my-lambda-role --policy-arn arn:aws:iam::aws:policy/AWSLambdaFullAccess

4. Once you have finished attaching policies, you can also add permissions to the role by creating an inline policy and attaching it to the role.

aws iam put-role-policy --role-name my-lambda-role --policy-name my-inline-policy --policy-document file://path/to/policy.json

5. To ensure that your Lambda function can only access the resources it needs to, you should also implement resource-based policies in your S3 bucket and other resources, to restrict access to the files stored in the bucket and other resources, to only the IAM role attached to your Lambda function.

6. Once the role is created, you can use the following command to update the Lambda function’s configuration, and attach the role to the function.


aws lambda update-function-configuration --function-name my-function --role arn:aws:iam::account-id:role/my-lambda-role

7. Regularly review and audit the policies and permissions attached to the role to ensure that the role has only the required permissions and no more


aws iam list-attached-role-policies --role-name my-lambda-role

Please note that the above commands are examples, you should replace the placeholders with the actual values for your specific use case.

Use VPCs to isolate Lambda functions

Create a VPC for your Lambda function and configure it to only allow traffic from specific IP ranges or other VPCs. This will help to isolate your Lambda function and limit its exposure to the internet.

Using Management Console

You can use the following steps to create a VPC for your Lambda function and configure it to only allow traffic from specific IP ranges or other VPCs using the AWS Management Console:

  1. Open the AWS Management Console and navigate to the Amazon VPC dashboard.
  2. Click on the “Create VPC” button to create a new VPC.
  3. Give the VPC a name and select the appropriate IPv4 CIDR block for your VPC. You can also specify the tenancy of the VPC, whether it should be a public or private VPC, and the Amazon VPCs that it should be connected to, if any.
  4. Create the VPC by clicking on the “Create” button.
  5. Once the VPC is created, navigate to the “Subnets” section of the VPC dashboard and create a new subnet in the VPC.
  6. Give the subnet a name and select the appropriate IPv4 CIDR block for the subnet. You should also select the VPC that the subnet should be associated with.
  7. Create the subnet by clicking on the “Create” button.
  8. Navigate to the “Security Groups” section of the VPC dashboard and create a new security group.
  9. Give the security group a name and select the VPC that the security group should be associated with.
  10. In the “Inbound” tab, add the appropriate IP ranges or other VPCs that should be able to access the security group.
  11. Create the security group by clicking on the “Create” button.
  12. Navigate to the Lambda dashboard and create a new Lambda function or edit an existing one.
  13. In the “Function code” section of the function configuration, select the subnet that you created earlier for the VPC.
  14. In the “Network” section of the function configuration, select the security group that you created earlier for the VPC.
  15. Save the function configuration by clicking on the “Save” button.

By following these steps, you will have created a VPC for your Lambda function and configured it to only allow traffic from specific IP ranges or other VPCs, helping to isolate the function and limit its exposure to the internet.

Using Aws CLI

Here are the steps to create a VPC for your Lambda function and configure it to only allow traffic from specific IP ranges or other VPCs using the AWS CLI:

  1. Open a terminal or command prompt and make sure that you have the AWS CLI installed and configured.
  2. Create a new VPC by running the following AWS CLI command:
aws ec2 create-vpc --cidr-block <your-vpc-cidr-block> --instance-tenancy <tenancy-type>

Replace <your-vpc-cidr-block> with the appropriate IPv4 CIDR block for your VPC, and <tenancy-type> with the tenancy of the VPC (e.g. default or dedicated).

  1. Record the VPC ID returned by the above command, as you will need it for the next step.
  2. Create a new subnet in the VPC by running the following AWS CLI command:
aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block <your-subnet-cidr-block>

Replace <vpc-id> with the VPC ID from the previous step, and <your-subnet-cidr-block> with the appropriate IPv4 CIDR block for the subnet.

  1. Record the subnet ID returned by the above command, as you will need it for the next step.
  2. Create a new security group by running the following AWS CLI command:
aws ec2 create-security-group --group-name <your-security-group-name> --description <your-security-group-description> --vpc-id <vpc-id>

Replace <your-security-group-name> and <your-security-group-description> with the appropriate values for your security group, and <vpc-id> with the VPC ID from step 3.

  1. Record the security group ID returned by the above command, as you will need it for the next step.
  2. Authorize incoming traffic to the security group by running the following AWS CLI command:
aws ec2 authorize-security-group-ingress --group-id <security-group-id> --protocol <protocol> --port <port-range> --cidr <source-ip-range>

Replace <security-group-id> with the security group ID from step 6, <protocol> with the appropriate protocol (e.g. TCP or UDP), <port-range> with the appropriate port range (e.g. 80-80), and <source-ip-range> with the IP ranges or other VPCs that should be able to access the security group.

  1. Create or update your Lambda function to run in the VPC by running the following AWS CLI command:
aws lambda update-function-configuration --function-name <function-name> --vpc-config SubnetIds=<subnet-id>,SecurityGroupIds=<security-group-id>

Replace <function-name> with the name of your Lambda function, <subnet-id> with the subnet ID from the VPC you want to use, and <security-group-id> with the ID of the security group you want to use. This will update the configuration of your Lambda function to run within the specified VPC and with the specified security group.

Note that this is just an example of how you can use the AWS CLI to update the configuration of your Lambda function. The exact steps and commands may vary based on your specific use case and environment.

Encrypt data at rest and in transit

Use services such as AWS KMS and AWS CloudHSM to encrypt data at rest and in transit. This will help to protect your data from unauthorized access.

You can follow this step-by-step guide to encrypt data at rest and in transit using AWS KMS and AWS CloudHSM:

  1. Encrypting data at rest: a. Choose an encryption service: Login to the AWS Management Console and choose either AWS KMS or S3 server-side encryption. b. Create a key: In AWS KMS, create a customer master key (CMK) for data encryption. In S3, you can use the default encryption or create a new one. c. Encrypt your data: For S3, you can encrypt your data by enabling server-side encryption for a bucket or an object. For AWS KMS, you can encrypt data by calling the Encrypt API action. d. Store your data: Store your encrypted data in the chosen service.
  2. Encrypting data in transit: a. Create a VPC: Login to the AWS Management Console and create a VPC. b. Create a VPN connection: Create a VPN connection within your VPC to encrypt data in transit. c. Enable encryption for VPC data transfer: Enable encryption for data transfer within your VPC using VPC endpoints or VPN connections. d. Enable SSL/TLS encryption: For data transfer over the internet, enable SSL/TLS encryption for your application.

Note: These are high-level steps and the actual steps might differ based on the encryption service chosen and the complexity of your infrastructure. Additionally, AWS CloudHSM is used for more complex encryption needs, such as HSM-protected keys for payment card industry (PCI) compliance.

Monitor and log Lambda function activity

Use services such as AWS CloudTrail and AWS CloudWatch to monitor and log activity on your Lambda function. This will help you to detect and respond to security incidents quickly.

Here is a step-by-step guide to monitor and log Lambda function activity using AWS CloudTrail and AWS CloudWatch:

  1. Enable AWS CloudTrail: a. Login to the AWS Management Console. b. Go to the CloudTrail service. c. Create a new trail or use an existing one. d. Ensure that the trail is logging all AWS Lambda API calls.
  2. Set up AWS CloudWatch Logs: a. Login to the AWS Management Console. b. Go to the CloudWatch service. c. Create a new log group for your Lambda function or use an existing one. d. Go to the Lambda function in the AWS Management Console. e. Go to the Monitoring section. f. Under Logs, choose the log group that you created in step c.
  3. Monitor and respond to security incidents: a. View logs: In the CloudWatch Logs, you can view the log data generated by your Lambda function. b. Create CloudWatch Alarms: In CloudWatch, you can create alarms based on log metric filters to monitor specific log events and trigger actions when certain conditions are met. c. Respond to security incidents: When a security incident is detected, you can take appropriate action to resolve the issue and prevent future incidents.

Note: These are high-level steps and the actual steps might differ based on the complexity of your infrastructure and the specific use case. Additionally, you can also integrate other security tools with AWS CloudTrail and AWS CloudWatch to further enhance your security and incident response capabilities.

Use AWS Lambda security best practice

Follow the security best practices provided by AWS for Lambda, such as using resource-based policies for Lambda function and S3 bucket, and using the least privilege principle when defining IAM policies for Lambda.

Here are the steps to use AWS Lambda security best practices using AWS CLI:

  1. Resource-based policies for Lambda function:

a. Create a resource-based policy for your Lambda function using the AWS CLI by running the following command:

aws lambda create-policy --function-name <function_name> --policy <policy_document>

b. Replace <function_name> with the name of your Lambda function and <policy_document> with the JSON document that defines the policy.

2. Resource-based policies for S3 bucket: a. Create a resource-based policy for your S3 bucket using the AWS CLI by running the following command:

aws s3api put-bucket-policy --bucket <bucket_name> --policy <policy_document>

b. Replace <bucket_name> with the name of your S3 bucket and <policy_document> with the JSON document that defines the policy.

3. IAM policies for Lambda:

a. Create an IAM policy using the AWS CLI by running the following command:

aws iam create-policy --policy-name <policy_name> --policy-document <policy_document>

b. Replace <policy_name> with the name of your IAM policy and <policy_document> with the JSON document that defines the policy.

c. Attach the IAM policy to the appropriate IAM role or user by running the following command:

aws iam attach-role-policy --role-name <role_name> --policy-arn <policy_arn> 

d. Replace <role_name> with the name of the IAM role and <policy_arn> with the ARN of the IAM policy.

Note: These are high-level steps and the actual steps might differ based on the complexity of your infrastructure and the specific use case. Additionally, you can also use AWS CloudFormation or AWS CDK to automate the creation and deployment of policies.

You can read more about the latest steps here.

It’s important to note that security and compliance considerations are ongoing and should be regularly reviewed, updated and audited. AWS provides a number of tools and best practices to help you secure your Lambda environment, but it’s your responsibility to implement them correctly and keep them up to date.