Skill323 repo starsupdated today
cis-aws-compute-12.4
This Claude Code skill provides guidance for auditing AWS Lambda function IAM permissions to ensure least privilege access is implemented. Use this when reviewing Lambda function configurations to verify that functions only have permissions necessary for their specific operations, such as read-only access to required S3 buckets rather than broader data manipulation or multi-bucket permissions. The skill emphasizes manual policy review since IAM permissions operate at granular levels controlling both data and control plane access.
Install in Claude Code
Copygit clone --depth 1 https://github.com/CyberStrikeus/CyberStrike /tmp/cis-aws-compute-12.4 && cp -r /tmp/cis-aws-compute-12.4/.cyberstrike/skill/CIS_benchmarks/Cloud_Providers/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-12.4 ~/.claude/skills/cis-aws-compute-12.4Then start a new Claude Code session; the skill loads automatically.
Definition
SKILL.md
# Ensure least privilege is used with Lambda function access ## Description Lambda is fully integrated with IAM, allowing you to control precisely what each Lambda function can do within the AWS Cloud. As you develop a Lambda function, you expand the scope of this policy to enable access to other resources. For example, for a function that processes objects put into an S3 bucket, it requires read access to objects stored in that bucket. Do not grant the function broader permissions to write or delete data, or operate in other buckets. ## Rationale You can use AWS Identity and Access Management (IAM) to manage access to the Lambda API and resources like functions and layers. For users and applications in your account that use Lambda, you manage permissions in a permissions policy that you can apply to IAM users, groups, or roles. To grant permissions to other accounts or AWS services that use your Lambda resources, you use a policy that applies to the resource itself. ## Impact Determining the exact permissions required is a manual process and can be challenging, since IAM permissions are very granular and they control access to both the data plane and control plane. ## Audit Procedure ### Using AWS Console Determining the exact permissions required is a manual process and can be challenging, since IAM permissions are very granular and they control access to both the data plane and control plane. Please refer to the references section below for useful documentation on developing the correct IAM policies for Lambda. ### Using AWS CLI N/A - This control requires manual review of IAM policies. ## Expected Result Lambda functions have granular IAM permissions following the principle of least privilege, with access limited to only necessary resources and operations. ## Remediation ### Using AWS Console As building out the IAM permissions for Lambda here are some things to consider: - Set granular IAM permissions for Lambda functions. - Limit user access via IAM permissions to only necessary resources and operations. - Remove unused or outdated IAM Users, Roles and Permissions. - Periodically review and adjust IAM permissions. - Do not allow all-access permissions for Lambda functions as a short cut. ### Using AWS CLI N/A - This control requires manual IAM policy review and adjustment. ## Default Value Lambda functions are created with a basic execution role by default, but the exact permissions depend on the role configuration. ## References 1. https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html 2. https://awspolicygen.s3.amazonaws.com/policygen.html 3. https://policysim.aws.amazon.com/home/index.jsp?# 4. https://github.com/aws-samples/aws-iamctl/ 5. https://docs.aws.amazon.com/lambda/latest/operatorguide/least-privilege-iam.html ## CIS Controls | Controls Version | Control | IG 1 | IG 2 | IG 3 | | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ---- | ---- | | v8 | 3.3 Configure Data Access Control Lists - Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. | x | x | x | | v8 | 6.7 Centralize Access Control - Centralize access control for all enterprise assets through a directory service or SSO provider, where supported. | | x | x | | v7 | 1.7 Deploy Port Level Access Control - Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. | | x | x | | v7 | 7.8 Implement DMARC and Enable Receiver-Side Verification - To lower the chance of spoofed or modified emails from valid domains, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification. | | x | x | ## Profile Level 1 | Manual
More from this repository
cis-aws-compute-10.1Skill
Ensure Managed Platform updates is configured
cis-aws-compute-10.2Skill
Ensure Persistent logs is setup and configured to S3
cis-aws-compute-10.3Skill
Ensure access logs are enabled
cis-aws-compute-10.4Skill
Ensure that HTTPS is enabled on load balancer
cis-aws-compute-11.1Skill
Ensure customer-managed keys are used to encrypt AWS Fargate ephemeral storage data for Amazon ECS
cis-aws-compute-12.1Skill
Ensure AWS Config is Enabled for Lambda and Serverless
cis-aws-compute-12.10Skill
Ensure Lambda functions do not allow unknown cross account access via permission policies
cis-aws-compute-12.11Skill
Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates