Skill323 repo starsupdated today
cis-aws-compute-12.5
This AWS security control verifies that each Lambda function uses a dedicated IAM execution role rather than sharing roles across multiple functions. Apply this check to enforce the principle of least privilege, ensuring functions have only minimal necessary permissions and improving security isolation between independent Lambda workloads in your AWS environment.
Install in Claude Code
Copygit clone --depth 1 https://github.com/CyberStrikeus/CyberStrike /tmp/cis-aws-compute-12.5 && cp -r /tmp/cis-aws-compute-12.5/.cyberstrike/skill/CIS_benchmarks/Cloud_Providers/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-12.5 ~/.claude/skills/cis-aws-compute-12.5Then start a new Claude Code session; the skill loads automatically.
Definition
SKILL.md
# Ensure every Lambda function has its own IAM Role ## Description Every Lambda function should have a one to one IAM execution role and the roles should not be shared between functions. ## Rationale The Principle of Least Privilege means that any Lambda function should have the minimal amount of access required to perform its tasks. In order to accomplish this Lambda functions should not share IAM Execution roles. ## Impact Creating unique IAM roles for each Lambda function increases the number of IAM roles to manage but provides better security isolation between functions. ## Audit Procedure ### Using AWS Console 1. Login to the AWS console using https://console.aws.amazon.com/lambda/ 2. In the left column, under `AWS Lambda`, click `Functions`. 3. Under `Function name` click on the name of the function that you want to review. 4. Click the `Configuration` tab 5. Under General configuration on the left column, click `Permissions`. 6. Under the `Execution role` section, `Role name` not the name listed as this is the IAM is the role that defines the access permissions for the selected function. 7. Repeat steps 2 - 6 for all the Lambda functions listed within the AWS region. 8. If any Lambda functions share the same Execution role, refer to the remediation below. 9. Repeat this Audit for all the AWS Regions. ### Using AWS CLI N/A - This control is Console-based audit only. ## Expected Result Each Lambda function has a unique IAM execution role that is not shared with any other Lambda function. ## Remediation ### Using AWS Console 1. Login to the AWS console using https://console.aws.amazon.com/lambda/ 2. In the left column, under `AWS Lambda`, click `Functions`. 3. Under `Function name` click on the name of the function that you want to change/update. 4. Click the `Configuration` tab 5. Under General configuration on the left column, click `Permissions`. 6. Under the `Execution role` section, click `Edit`. 7. Scroll down to `Execution role` **To use an existing IAM role:** - Click `Use an existing role` - Select the role from the `Existing role` dropdown. - The IAM role can't be associated with another Lambda function and must follow the Principle of Least Privilege. **To use a new IAM role:** - Click `Create a new role from AWS policy templates` - Provide a unique name based on company policy in the `Role name` - Select the policy templates from the `Policy templates` dropdown. 8. Click `Save` 9. Repeat steps 2 - 8 for all the Lambda functions listed within the AWS region that do not have a unique IAM Execution Role. 10. Repeat this remediation process for all the AWS Regions. ### Using AWS CLI N/A - This control is Console-based remediation only. ## Default Value When creating a Lambda function, AWS creates a default execution role, but multiple functions can be configured to share the same role. ## References 1. https://docs.aws.amazon.com/lambda/latest/dg/welcome.html ## CIS Controls | Controls Version | Control | IG 1 | IG 2 | IG 3 | | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ---- | ---- | | v8 | 3.3 Configure Data Access Control Lists - Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. | x | x | x | | v7 | 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies - Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables. | | x | x | ## Profile Level 1 | Manual
More from this repository
cis-aws-compute-10.1Skill
Ensure Managed Platform updates is configured
cis-aws-compute-10.2Skill
Ensure Persistent logs is setup and configured to S3
cis-aws-compute-10.3Skill
Ensure access logs are enabled
cis-aws-compute-10.4Skill
Ensure that HTTPS is enabled on load balancer
cis-aws-compute-11.1Skill
Ensure customer-managed keys are used to encrypt AWS Fargate ephemeral storage data for Amazon ECS
cis-aws-compute-12.1Skill
Ensure AWS Config is Enabled for Lambda and Serverless
cis-aws-compute-12.10Skill
Ensure Lambda functions do not allow unknown cross account access via permission policies
cis-aws-compute-12.11Skill
Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates