AI CloudAdvisor (Beta)

My Presets

You must be logged in to save or view your saved configuration templates

Security Controls

Service Control PoliciesConfig RulesCloudWatch Alarms and Event RulesCloudFormation Guard RulesLogging & Monitoring ConfigurationsBackups & DRAuto Remediation RulesConformance PacksBilling and Cost ManagementS3 Bucket PoliciesSecurity Groups & NACLsIAM PoliciesVPC Endpoint Policies

AWS Services

Guided Walkthroughs

Configuration Packages

Reference Guides

Other

AI CloudAdvisor (Beta)

Configuration Stack
0

My Presets

Security Controls

AWS Services

Guided Walkthroughs

Configuration Packages

Reference Guides

Other

Lambda Security

A collection of AWS Security controls for AWS Lambda. Controls include templates to create Lambda Functions, AWS Config rules for monitoring compliance, and Service Control Policies. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

Lambda

Configuration template to create a Lambda Function. The template includes options to customize the function's settings such as name, runtime, code location (inline, ZIP or S3), memory size, timeout and more

CloudFormationTerraformAWS CLI

This template creates a version from the current code and configuration of a Lambda function. It includes a Lambda function resource with a specified handler, role, code, runtime, and tracing configuration. The version resource is associated with the Lambda function and has a description and provisioned concurrency configuration.

CloudFormation

This template grants Amazon S3 permission to invoke a function resource named `my-lambda-function` created in the same template, to process notifications for a bucket resource named `Bucket`.

CloudFormation

This template grants public, unauthenticated access to invoke your function named `my-lambda-function` via its function URL.

CloudFormation

This template grants account 123456789012 permission to invoke a Lambda function created in the same template. The Lambda function stores its code `function.zip` on an S3 bucket `my-bucket` and uses the IAM role `lambda-role`

CloudFormation

This template creates an `AWS::Lambda::LayerVersionPermission` resource to grant layer usage permission to accounts in organization `o-t194hfs8cz`. The `Action` property is set to `lambda:GetLayerVersion`, the `LayerVersionArn` property is set to `arn:aws:lambda:us-west-2:123456789012:layer:my-layer:1`, the `OrganizationId` property is set to `o-t194hfs8cz`, and the `Principal` property is set to `*`.

CloudFormation

This template creates a Lambda layer named `my-layer` with the following properties: CompatibleRuntimes: [python3.6, python3.7], Content: {S3Bucket: my-bucket-us-west-2-123456789012, S3Key: layer.zip}, Description: My layer, LayerName: my-layer, LicenseInfo: MIT

CloudFormation

This template creates an AWS Lambda function connected to a VPC. The function is associated with an execution role and has a deployment package stored in an S3 bucket. The function has a timeout of 5 seconds and active tracing configuration. It is also configured with a VPC, with specified security group IDs and subnet IDs.

CloudFormation

This template creates an inline AWS Lambda function using Node.js runtime. The function lists Amazon S3 buckets in the `us-east-1` region. The function is associated with an execution role

CloudFormation

This template creates an AWS Lambda function using Node.js runtime. The function is associated with an execution role and has a deployment package stored in an S3 bucket. The function has a timeout of 25 seconds and active tracing configuration.

CloudFormation

This template creates an event source mapping that reads events from Amazon Kinesis and invokes a Lambda function in the same template.

CloudFormation

This template creates a Lambda function with error handling and destination configuration. It also creates a version of the function and configures an event invoke configuration for asynchronous invocation. The function is written in Node.js and has a tracing configuration set to active. The event invoke configuration specifies a destination for both success and failure cases, sets a maximum event age of 300 seconds, a maximum retry attempts of 1, and uses the version as the qualifier.

CloudFormation

This template creates a Lambda function with two versions and an alias. The function code is provided as a zip file. The alias is used to provide clients with a function identifier that can be updated to invoke a different version. The alias has a routing configuration that routes requests to both versions, with a weight of 0.5 for the first version and 0.5 for the second version. The function has an active tracing configuration.

CloudFormation

This template creates a Node.js Lambda function with a version and alias. The function code is provided as a zip file. The alias is used to provide clients with a function identifier that can be updated to invoke a different version. The function has an active tracing configuration.

CloudFormation
IAM

Configuration for creating an IAM role for Lambda functions. The IAM role has a trust policy to allow Lambda functions to assume it, and the AWSLambdaBasicExecutionRole IAM managed policy attached for basic execution permissions for the Lambda functions.

CloudFormationTerraformAWS CLI
CloudTrail

Configuration to enable AWS CloudTrail in an AWS account for logging Lambda Data Events. Data Events for AWS Lambda record function execution activity (the Invoke API)

CloudFormationTerraformAWS CLI
Config Rule

Checks whether the AWS Lambda function policy attached to the Lambda resource prohibits public access. If the Lambda function policy allows public access it is noncompliant.

CloudFormationTerraformAWS CLI

A Config rule that checks that the lambda function settings for runtime, role, timeout, and memory size match the expected values.

CloudFormationTerraformAWS CLI

A config rule that checks that all the lambda functions have at least one defined version and alias, also ensure that no alias pointing to $LATEST version

CloudFormationTerraformAWS CLI

A config rule that checks whether the AWS Lambda function is configured for function-level concurrent execution limit.

CloudFormationTerraformAWS CLI

A config rule that checks whether the AWS Lambda function is in a VPC or not

CloudFormationTerraformAWS CLI

A config rule that checks whether each Lambda function has the permission for logging. Each Lambda functions should have an IAM role with appropriate IAM permissions to publish its Lambda function logs to CloudWatch.

CloudFormationTerraformAWS CLI

A Config rule that checks whether an AWS Lambda function is configured with a dead-letter queue. The rule is NON_COMPLIANT if the Lambda function is not configured with a dead-letter queue

CloudFormationTerraformAWS CLI

A Config rule that checks if Lambda has more than 1 availability zone associated. The rule is NON_COMPLIANT if only 1 availability zone is associated with the Lambda or the number of availability zones associated is less than number specified in the optional parameter.

CloudFormationTerraformAWS CLI
Service Control Policy

This SCP prevents users from creating open Lambda HTTP URLs that do not required authentication and enforces AWS_IAM authentication on all Lambda URLs

CloudFormationTerraformAWS CLI

This SCP restricts IAM principals in accounts from making changes to specific Lambda Functions with the exception of a specific IAM role (This could be a common administrative IAM role created in all accounts in your organization)

CloudFormationTerraformAWS CLI
Filter by source
 
Lambda
IAM
CloudTrail
Config Rule
Service Control Policy