Multiple Functions Should Not Have The Same IAM Role

More Info:

Amazon Lambda functions should not share the same AWS IAM execution role in order to promote the Principle of Least Privilege (POLP) by providing each individual function the minimal amount of access required to perform its tasks.

Risk Level

High

Address

Security

Compliance Standards

SOC2

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate this misconfiguration in AWS, you can follow the below steps using AWS CLI:

Identify the functions that have the same IAM role assigned to them. You can use the following command to list all the functions and their IAM roles:

aws lambda list-functions --query 'Functions[*].[FunctionName, Role]'

Once you have identified the functions that have the same IAM role assigned to them, you can create a new IAM role for each function using the following command:

aws iam create-role --role-name <new_role_name> --assume-role-policy-document file://trust-policy.json

Note: Replace <new_role_name> with a unique name for the new IAM role and trust-policy.json with the path to a JSON file containing the trust policy for the role.

After creating the new IAM roles, you can update the function configurations to use the new IAM roles using the following command:

aws lambda update-function-configuration --function-name <function_name> --role <new_role_arn>

Note: Replace <function_name> with the name of the function that needs to be updated and <new_role_arn> with the ARN of the new IAM role created in step 2.

Repeat step 3 for all the functions that have the same IAM role assigned to them.
Once all the functions have been updated to use unique IAM roles, you can delete the old shared IAM role using the following command:

aws iam delete-role --role-name <old_role_name>

Note: Replace <old_role_name> with the name of the old shared IAM role that needs to be deleted.By following these steps, you can remediate the misconfiguration of having multiple functions with the same IAM role in AWS.

Using Python

To remediate the misconfiguration “Multiple Functions Should Not Have The Same IAM Role” in AWS using Python, you can follow these steps:

Identify the functions that are sharing the same IAM role. You can use the AWS CLI command aws lambda list-functions to get a list of all the functions in your account and their associated IAM roles.
For each function that is sharing the same IAM role with another function, create a new IAM role. You can use the AWS CLI command aws iam create-role to create a new IAM role with the necessary permissions for the function.
Update each function to use the new IAM role. You can use the AWS CLI command aws lambda update-function-configuration to update the function’s configuration and specify the new IAM role.

Here’s an example Python script that you can use to remediate this misconfiguration:

import boto3

# Initialize the AWS clients
lambda_client = boto3.client('lambda')
iam_client = boto3.client('iam')

# Get a list of all the functions in the account
response = lambda_client.list_functions()

# Loop through each function
for function in response['Functions']:
    # Get the function's IAM role
    role_arn = function['Role']
    role_name = role_arn.split('/')[-1]

    # Check if the role is being used by multiple functions
    response = lambda_client.list_functions(
        FunctionVersion='ALL',
        MaxItems=10000
    )
    shared_role_functions = []
    for f in response['Functions']:
        if f['Role'] == role_arn and f['FunctionName'] != function['FunctionName']:
            shared_role_functions.append(f['FunctionName'])

    if shared_role_functions:
        # Create a new IAM role for the function
        new_role_name = f"{function['FunctionName']}-lambda-role"
        response = iam_client.create_role(
            RoleName=new_role_name,
            AssumeRolePolicyDocument='{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Principal": {"Service": "lambda.amazonaws.com"},"Action": "sts:AssumeRole"}]}'
        )

        # Attach the necessary policies to the new IAM role
        policy_arns = ['arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole']
        for policy_arn in policy_arns:
            iam_client.attach_role_policy(
                RoleName=new_role_name,
                PolicyArn=policy_arn
            )

        # Update the function to use the new IAM role
        lambda_client.update_function_configuration(
            FunctionName=function['FunctionName'],
            Role=response['Role']['Arn']
        )

        print(f"Function {function['FunctionName']} now has its own IAM role {new_role_name}")
    else:
        print(f"Function {function['FunctionName']} is not sharing its IAM role with any other function")

This script will loop through all the functions in your account and check if they are sharing their IAM role with any other function. If a function is sharing its IAM role, the script will create a new IAM role for the function, attach the necessary policies to the new role, and update the function to use the new IAM role.

Additional Reading:

https://docs.aws.amazon.com/lambda/latest/dg/lambda-permissions.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Multiple Functions Should Not Have The Same IAM Role

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: