Lambda Checker is a simple Python script, based on official AWS Boto3 Python SDK, which executes some security checks to detect misconfigurations issues on Lambda functions. The tool has been developed in order to be automated within CI/CD pipelines or to be executed on demand. In addition to security configuration checks, if the function is written in Python it performs additional security checks such as hardcoded credentials checks, use of assertion clauses and so on. Here is the list with the checks done by the tool:
-
Configuration issues:
- Detection of AWS EU region use
- Configuration of X-Ray debug module
- VPC Lambda's configuration
- Permissions and configuration of the role associated to the Lambda
- Insecure HTTP requests
- Detection of personal data (spanish)
-
Code Security issues (all languages):
- Hardcoded credentials
- Hardcoded directories
-
Code Security issues (only for Python functions):
- Use of insecure libraries
- Use of insecure ciphers
- Use of insecure algorithms
- Use of assertion clauses
- OS Command execution detection (manual check required if it is detected)
The results are shown as CSV report and command-line and they are classified as "Info", "Low", "Medium" or "High" risk severity. The use of this tool is complementary to the use of others and it is highly recommended the use of pure SAST solutions which can gives widest results.
In order to install the tool, you can clone the git repository or download the Python script:
git clone git://github.com/atrigomv/lambda_checker.git
To execute the tool it is necessary to cover the steps below:
- Download the tool
- Create a programmatic user in AWS account in which Lambda functions are storaged. The permissions of this user are described below.
- Install Python
- Install Boto3 for Python:
pip install boto3
- Install AWS CLI and configure it with the access key and the secret access key of the user previously created:
pip install awscli
aws configure
- Put execution permissions:
chmod +x lambda_checker.py
- Enjoy ;)
If you chose the easy way, it is enough if the programmatic user has the next policies selected: AWSLambdaFullAccess and IAMFullAccess.
In order to give the exact permissions to the script, it is needed to create a new policy with the next statement:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"lambda:ListFunctions",
"iam:ListAttachedRolePolicies",
"lambda:GetFunction",
"iam:ListRolePolicies"
],
"Resource": "*"
}
]
}
./lambda_checker.py -f <LAMBDA_FUNCTION_NAME> -v
./lambda_checker.py -a
