Protect Your Lambda Functions with AWS GuardDuty
AWS has recently announced AWS GuardDuty support for AWS Lambda Protection. This tool identifies potential security threats when an AWS Lambda function gets invoked in your AWS environment. In this tutorial, I will guide you through the steps to enable and how to remedy potential issues.
Lambda Protection provides a crucial security layer by monitoring Lambda network activity logs, starting with VPC Flow Logs from all Lambda functions for your account. This includes logs that don’t use VPC networking and logs generated when the Lambda function gets invoked.
When GuardDuty identifies suspicious network traffic, potentially indicating a malicious piece of code within your Lambda function, a finding is generated. This allows you to be proactive in safeguarding your environment.
Getting Started
By default, an existing GuardDuty account can enable Lambda Protection with a 30 day trial period. For a new GuardDuty account, Lambda Protection is already enabled and included in the 30 day trial period.
Let’s get started with enabling Lambda Protection:
Lambda Network Activity Monitoring
GuardDuty monitors network activity logs generated by invoking the Lambda functions. This includes Amazon VPC flow logs from all Lambda functions for your account, even those logs that don’t use VPC networking.
Cost Optimization
GuardDuty only charges for the amount of Lambda network activity logs data processed (in GB) to generate a finding. This approach optimizes cost by applying smart filters and analyzing a subset of Lambda network activity logs relevant to threat detection.
Understanding Log Management
GuardDuty doesn’t manage your Lambda network activity logs (including VPC and non-VPC flow logs) or make them accessible in your account. Instead, it focuses on analyzing logs to identify potential threats.
What happens if your Lambda Functions are compromised?
In the event that GuardDuty generates a Lambda Protection finding and the activity is unexpected, indicating your Lambda function may be compromised, it is essential to take immediate steps to remediate the issue. Here are the three steps you can follow.
Step 1: Identify the Affected Lambda Function Version
A GuardDuty finding for Lambda Protection provides the name, Amazon Resource Name (ARN), function version, and revision ID associated with the Lambda function listed in the finding details. Save these details as they will be needed in the subsequent steps.
Step 2: Identify the Source of the Suspicious Activity
The next step is to identify the source of the suspicious activity:
- Review the code: Examine the code associated with the Lambda function version involved in the finding. Look out for any unusual or unexpected code blocks.
- Review the imported libraries and layers: Inspect the libraries and layers of the Lambda function version involved in the finding. Ensure these libraries and layers are trusted and required for your function.
- Use Amazon Inspector: If you have enabled Scanning AWS Lambda functions with Amazon Inspector, review the Amazon Inspector findings associated with the Lambda function involved in the finding.
- Review AWS CloudTrail logs: AWS CloudTrail logs will help identify the principal that caused the function update. Ensure that the activity was authorized or expected.
Step 3: Remediate the Impacted Lambda Function
After identifying the source of the suspicious activity, the next step is to remediate the compromised Lambda function:
- Disable the execution triggers: Temporarily disable the execution triggers of the Lambda function involved in the finding to prevent any further potential damage. For more information, see DeleteFunctionEventInvokeConfig.
- Review and update the Lambda code: Go through the Lambda code and update the libraries imports and Lambda function layers to remove the potentially suspicious libraries and layers.
- Mitigate Amazon Inspector findings: If Amazon Inspector findings are associated with the compromised Lambda function, take appropriate steps to mitigate them.
GuardDuty’s Lambda Protection feature helps you tackle security threats to your AWS Lambda functions proactively. It’s a new tool in your DevSecOps toolkit that alerts you about possible threats.
