Part 1 -Least Privilege Access for AWS Lambda Execution Role
Introduction
In AWS, an important security best practice is to adhere to the principle of least privilege when granting permissions. This practice minimizes the potential impact of any accidental or malicious use of permissions. AWS Lambda functions require permissions to interact with other AWS services. By setting up an IAM role with only the necessary permissions, we can reduce the attack surface and improve our application's overall security posture.
In this article, we will discuss how to create an IAM role for a Lambda function that adheres to the principle of least privilege. Our sample Lambda function is written in Python and describes VPCs in an AWS account, and then it puts an item into a DynamoDB table.
Understanding IAM and AWS Lambda
IAM stands for Identity and Access Management. It is an AWS service used to control access to AWS resources. An IAM role is an identity with certain permission policies that determine what the identity can and cannot do in AWS.
AWS Lambda is a serverless compute service that runs your code in response to events. Lambda assumes an IAM role when executing a function to access other AWS services.
IAM Role for AWS Lambda
When we create an IAM role for AWS Lambda, we give our function the ability to access specific resources in our account. The role should have the least privilege necessary to perform its tasks. In other words, the function should have just enough access to do its job, and no more.
For our scenario, where a Lambda function is responsible for describing VPCs and putting an item into a DynamoDB table, we would need to provide permissions to perform the ec2:DescribeVpcs
and dynamodb:PutItem
actions. This can be done with a policy similar to the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeVpcs",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "dynamodb:PutItem",
"Resource": "arn:aws:dynamodb:region:account-id:table/securityleaseprivtable"
}
]
}
This policy allows the Lambda function to describe VPCs and to put an item into a specific DynamoDB table, which is exactly what it needs to do. No additional permissions are granted.
Python Lambda Function
Let's look at the corresponding Python code that will utilize the ec2:DescribeVpcs
and dynamodb:PutItem
permissions. This function will use the boto3
AWS SDK for Python to make a request to the EC2 service to describe the VPCs, and to the DynamoDB service to put an item into the table.
import boto3
def lambda_handler(event, context):
ec2 = boto3.client('ec2')
dynamodb = boto3.resource('dynamodb')
table = dynamodb.Table('securityleastprivilegetable')
response = ec2.describe_vpcs()
table.put_item(
Item={
'id': '1'
}
)
return response
This function creates a client for the EC2 service, describes the VPCs in the account, puts the response into a DynamoDB table, and then returns the response. It requires no additional permissions beyond ec2:DescribeVpcs
and dynamodb:PutItem
.
Conclusion
By following the principle of least privilege, we can create secure applications that are resilient to potential threats. It's important to regularly review and update our IAM policies to ensure that they only grant the necessary permissions. By keeping our Python Lambda function's permissions limited to what it needs (ec2:DescribeVpcs
and dynamodb:PutItem
), we've minimized the risk and increased the security of our application.
Understanding these concepts and implementing them in your AWS environment will help you build secure, efficient, and compliant infrastructures.
Subscribe to my newsletter
Read articles from Chandrasekar(Chan) Rajaram directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by