Configuration template to create a Lambda Function. The template includes options to customize the function's settings such as name, runtime, code location (inline, ZIP or S3), memory size, timeout and more

Configuration for creating an IAM role for Lambda functions. The IAM role has a trust policy to allow Lambda functions to assume it, and the AWSLambdaBasicExecutionRole IAM managed policy attached for basic execution permissions for the Lambda functions.

Configuration to enable AWS CloudTrail in an AWS account for logging Lambda Data Events. Data Events for AWS Lambda record function execution activity (the Invoke API)

Checks whether the AWS Lambda function policy attached to the Lambda resource prohibits public access. If the Lambda function policy allows public access it is noncompliant.

A Config rule that checks that the lambda function settings for runtime, role, timeout, and memory size match the expected values.

A config rule that checks that all the lambda functions have at least one defined version and alias, also ensure that no alias pointing to $LATEST version

A config rule that checks whether the AWS Lambda function is configured for function-level concurrent execution limit.

A config rule that checks whether the AWS Lambda function is in a VPC or not

A config rule that checks whether each Lambda function has the permission for logging. Each Lambda functions should have an IAM role with appropriate IAM permissions to publish its Lambda function logs to CloudWatch.

A Config rule that checks whether an AWS Lambda function is configured with a dead-letter queue. The rule is NON_COMPLIANT if the Lambda function is not configured with a dead-letter queue

A Config rule that checks if Lambda has more than 1 availability zone associated. The rule is NON_COMPLIANT if only 1 availability zone is associated with the Lambda or the number of availability zones associated is less than number specified in the optional parameter.

This SCP prevents users from creating open Lambda HTTP URLs that do not required authentication and enforces AWS_IAM authentication on all Lambda URLs

This SCP restricts IAM principals in accounts from making changes to specific Lambda Functions with the exception of a specific IAM role (This could be a common administrative IAM role created in all accounts in your organization)