Review and Secure a Lambda Function with an IAM Least Privilege Based Security Policy
In this lab scenario, you take on the role of a cloud security engineer, working for a business that has implemented a particular business process in AWS using AWS Lambda. Version one (MVP) of the implementation has proven very successful with customers (in this lab - you actually deploy and set up the Lambda function). Due to the immediate success and demand of the serverless workflow, the company has now decided to review the IAM security policies involved in its operation and uptime of it. It is expected that current IAM permissions may be too broad and too permissive.
As a cloud security engineer, it is your responsibility to perform the review and update existing IAM security permissions assigned to the Lambda function's execution role. Your task is to review the current IAM policies and refine them such that they adhere to the rule of least privilege. To understand exactly what the Lambda function does, and in particular, the specific set of AWS API operations it integrates with, you will set up CloudTrail together with Athena. Additionally, this new setup will support another business requirement - being able to audit all AWS API calls made by the Lambda function for auditing and compliance reasons.
Upon completion of this lab, you will be able to:
- Configure CloudTrail and Athena together to help you analyze AWS API operations being made within an AWS Account
- Those interested in learning how to increase their IAM security posture by analyzing existing AWS API calls
Familiarity with the following will be beneficial but is not required:
- Be comfortable with the AWS console
- Be comfortable with basic Linux command line administration
This lab will start with the following AWS resources provisioned automatically for you:
- 1 x EC2 instance
- ops.cloudacademy.platform.instance - used to provide access to a Linux terminal
- 2 x S3 buckets
- Business Data S3 bucket - used to store business data files generated by the Lambda function
- Athena Query Results S3 bucket - used to store the results of executing Athena queries
To achieve the lab end state, you will be walked through the process of:
- Setting up a new CloudTrail trail
- Configuring Athena with access to the CloudTrail trail log files stored in S3
- Deploying and configuring a new Python 3-based Lambda function that writes files out to the Business Data S3 bucket
- Use Athena to query the CloudTrail data
- Build a local file containing all current IAM Policy Actions
- Updating an IAM policy assigned to a Lambda function's execution role
Jeremy is a Content Lead Architect and DevOps SME here at Cloud Academy where he specializes in developing DevOps technical training documentation.
He has a strong background in software engineering, and has been coding with various languages, frameworks, and systems for the past 25+ years. In recent times, Jeremy has been focused on DevOps, Cloud (AWS, Azure, GCP), Security, Kubernetes, and Machine Learning.
Jeremy holds professional certifications for AWS, Azure, GCP, Terraform, Kubernetes (CKA, CKAD, CKS).