By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM Policies

By Service Protected

VPC Security ControlsEC2 Security ControlsIAM Security ControlsS3 Security ControlsRDS Security ControlsDynamoDB Security ControlsEMR SecurityLambda SecurityCloudFormation SecurityLogging & Monitoring ConfigurationsBackups & DRBilling and Cost Management

Configuration Packages

Strategy Guides

Other

Lambda Security

A collection of AWS Security controls for AWS Lambda. Controls include AWS Config rules for monitoring compliance. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

Config Rule

Checks whether the AWS Lambda function policy attached to the Lambda resource prohibits public access. If the Lambda function policy allows public access it is noncompliant.

CloudFormationTerraformAWS CLI

A Config rule that checks that the lambda function settings for runtime, role, timeout, and memory size match the expected values.

CloudFormationTerraformAWS CLI

A config rule that checks that all the lambda functions have at least one defined version and alias, also ensure that no alias pointing to $LATEST version

CloudFormationTerraformAWS CLI

A config rule that checks whether the AWS Lambda function is configured for function-level concurrent execution limit.

CloudFormationTerraformAWS CLI

A config rule that checks whether the AWS Lambda function is in a VPC or not

CloudFormationTerraformAWS CLI

A config rule that checks whether each Lambda function has the permission for logging. Each Lambda functions should have an IAM role with appropriate IAM permissions to publish its Lambda function logs to CloudWatch.

CloudFormationTerraformAWS CLI

A Config rule that checks whether an AWS Lambda function is configured with a dead-letter queue. The rule is NON_COMPLIANT if the Lambda function is not configured with a dead-letter queue

CloudFormationTerraformAWS CLI
CloudTrail

Configuration to enable AWS CloudTrail in an AWS account for logging Lambda Data Events. Data Events for AWS Lambda record function execution activity (the Invoke API)

CloudFormationTerraformAWS CLI
Config Rule
CloudTrail