Review and Secure a Lambda Function with an IAM Least Privilege Based Security Policy

Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Create CloudTrail Trail
lock
Create Lambda Function
lock
Use Athena to Query CloudTrail Events
lock
Review Full IAM Actions List
lock
Review and Update Lambda Execution Role Policy

The hands-on lab is part of this learning path

Ready for the real environment experience?

DifficultyAdvanced
Time Limit2h 30m
Students54
Ratings
5/5
starstarstarstarstar

Description

In this lab scenario, you take on the role of a cloud security engineer, working for a business that has implemented a particular business process in AWS using AWS Lambda. Version one (MVP) of the implementation has proven very successful with customers (in this lab - you actually deploy and set up the Lambda function). Due to the immediate success and demand of the serverless workflow, the company has now decided to review the IAM security policies involved in its operation and uptime of it. It is expected that current IAM permissions may be too broad and too permissive.

As a cloud security engineer, it is your responsibility to perform the review and update existing IAM security permissions assigned to the Lambda function's execution role. Your task is to review the current IAM policies and refine them such that they adhere to the rule of least privilege. To understand exactly what the Lambda function does, and in particular, the specific set of AWS API operations it integrates with, you will set up CloudTrail together with Athena. Additionally, this new setup will support another business requirement - being able to audit all AWS API calls made by the Lambda function for auditing and compliance reasons.

Learning Objectives

Upon completion of this lab, you will be able to:

  • Configure CloudTrail and Athena together to help you analyze AWS API operations being made within an AWS Account

Intended Audience

  • Those interested in learning how to increase their IAM security posture by analyzing existing AWS API calls

Prerequisites

Familiarity with the following will be beneficial but is not required:

  • Be comfortable with the AWS console
  • Be comfortable with basic Linux command line administration

Lab Environment

This lab will start with the following AWS resources provisioned automatically for you:

  • 1 x EC2 instance
    • ops.cloudacademy.platform.instance - used to provide access to a Linux terminal
  • 2 x S3 buckets
    • Business Data S3 bucket - used to store business data files generated by the Lambda function
    • Athena Query Results S3 bucket - used to store the results of executing Athena queries

To achieve the lab end state, you will be walked through the process of:

  • Setting up a new CloudTrail trail
  • Configuring Athena with access to the CloudTrail trail log files stored in S3
  • Deploying and configuring a new Python 3-based Lambda function that writes files out to the Business Data S3 bucket
  • Use Athena to query the CloudTrail data
  • Build a local file containing all current IAM Policy Actions
  • Updating an IAM policy assigned to a Lambda function's execution role
Environment before
PREVIEW
arrow_forward
Environment after
PREVIEW
About the Author
Students106681
Labs59
Courses113
Learning paths91

Jeremy is a Content Lead Architect and DevOps SME here at Cloud Academy where he specializes in developing DevOps technical training documentation.

He has a strong background in software engineering, and has been coding with various languages, frameworks, and systems for the past 25+ years. In recent times, Jeremy has been focused on DevOps, Cloud (AWS, GCP, Azure), Security, Kubernetes, and Machine Learning.

Jeremy holds professional certifications for AWS, GCP, Terraform, Kubernetes (CKA, CKAD, CKS).