@cyberstrike-io/cyberstrike 1.1.9 → 1.1.10-beta.1

package/skill/CIS_benchmarks/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-12.10/SKILL.md

@@ -0,0 +1,108 @@
+---
+name: cis-aws-compute-12.10
+description: "Ensure Lambda functions do not allow unknown cross account access via permission policies"
+category: cis-compute
+version: "1.1.0"
+author: cyberstrike-official
+tags: [cis, aws, compute, lambda, serverless, cross-account, access-control, resource-policy]
+cis_id: "12.10"
+cis_benchmark: "CIS AWS Compute Services Benchmark v1.1.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: [cis-aws-compute-12.4, cis-aws-compute-12.6, cis-aws-compute-12.9]
+prerequisites: []
+severity_boost: {}
+---
+
+# Ensure Lambda functions do not allow unknown cross account access via permission policies
+
+## Description
+
+Ensure that all your Amazon Lambda functions are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross-account access.
+
+## Rationale
+
+Allowing unknown (unauthorized) AWS accounts to invoke your Amazon Lambda functions can lead to data exposure and data loss. To prevent any unauthorized invocation requests for your Lambda functions, restrict access only to trusted AWS accounts.
+
+## Impact
+
+Restricting cross-account access may break existing integrations with partner or trusted accounts. Ensure all legitimate cross-account relationships are documented before restricting access.
+
+## Audit Procedure
+
+### Using AWS Console
+
+1. Login to the AWS Console using https://console.aws.amazon.com/lambda/.
+2. In the left column, under `AWS Lambda`, click `Functions`.
+3. Under `Function name` click on the name of the function that you want to review
+4. Click the Configuration tab
+5. In the left column, click `Permissions`.
+6. In the `Resource-based policy statements` section, click `View policy document`
+7. Review the Resource-based policy document box. Find the "Principal" element and check the element value (ARN).
+8. Confirm that each AWS account ARN is an approved AWS account. If one or more of the ARNs is not an AWS account defined within your organization, refer to the remediation below.
+9. Repeat steps no. 2-8 for each Lambda function available within the current AWS region.
+10. Repeat this Audit for all the other AWS regions.
+
+### Using AWS CLI
+
+1. Run `aws lambda list-functions`
+
+```bash
+aws lambda list-functions --output table --query "Functions[*].FunctionName"
+```
+
+2. This command will provide a table titled ListFunctions
+
+3. Run `aws lambda get-policy` on the functions listed
+
+```bash
+aws lambda get-policy --function-name "name_of_function" --output text --query "Policy"
+```
+
+4. This will provide an output of the policy assigned to that function.
+5. Identify the "Principal" element for each function for the ARN.
+6. Confirm that each AWS account ARN is an approved AWS account. If one or more of the ARNs is not an AWS account defined within your organization, refer to the remediation below.
+7. Repeat steps 2-5 for each Lambda function available.
+8. Run the Audit in the other AWS cloud regions.
+
+## Expected Result
+
+All Lambda function resource-based policies contain only Principal ARNs belonging to trusted and approved AWS accounts within the organization.
+
+## Remediation
+
+### Using AWS Console
+
+1. Login to the AWS Console using https://console.aws.amazon.com/lambda/.
+2. In the left column, under `AWS Lambda`, click `Functions`.
+3. Under `Function name` click on the name of the function that you want to review
+4. Click the Configuration tab
+5. In the left column, click `Permissions`.
+6. In the `Resource-based policy statements` section, select the policy statement that allows the unknown AWS Account cross-account access
+7. Click Edit
+8. On the `Edit permissions` page, replace or remove the AWS Account(s) ARN of the unauthorized principal in the Principal box
+9. Click Save
+10. Repeat steps for each Lambda function that failed the Audit
+
+### Using AWS CLI
+
+N/A - This control is Console-based remediation only.
+
+## Default Value
+
+Lambda functions do not allow cross-account access by default. Cross-account access requires explicit configuration of resource-based policies.
+
+## References
+
+1. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/index.html
+
+## CIS Controls
+
+| Controls Version | Control                                                                                                                                                                                                                                                                                                                                                                                                                      | IG 1 | IG 2 | IG 3 |
+| ---------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ---- | ---- |
+| v8               | 6.8 Define and Maintain Role-Based Access Control - Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. |      |      | x    |
+| v7               | 1.7 Deploy Port Level Access Control - Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network.                                                                                                                                                                                                                                                              |      | x    | x    |
+
+## Profile
+
+Level 1 | Manual

package/skill/CIS_benchmarks/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-12.11/SKILL.md

@@ -0,0 +1,126 @@
+---
+name: cis-aws-compute-12.11
+description: "Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates"
+category: cis-compute
+version: "1.1.0"
+author: cyberstrike-official
+tags: [cis, aws, compute, lambda, serverless, runtime, eol, patching, deprecation]
+cis_id: "12.11"
+cis_benchmark: "CIS AWS Compute Services Benchmark v1.1.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: [cis-aws-compute-12.8, cis-aws-compute-12.12]
+prerequisites: []
+severity_boost: {}
+---
+
+# Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates
+
+## Description
+
+Always using a recent version of the execution environment configured for your Amazon Lambda functions adheres to best practices for the newest software features, the latest security patches and bug fixes, and performance and reliability.
+
+## Rationale
+
+When you execute your Lambda functions using recent versions of the implemented runtime environment, you should benefit from new features and enhancements, better security, along with performance and reliability.
+
+## Impact
+
+Upgrading runtime versions may introduce breaking changes. Functions should be thoroughly tested with the new runtime before deployment.
+
+## Audit Procedure
+
+### Using AWS Console
+
+1. Login to the AWS Console using https://console.aws.amazon.com/lambda/.
+2. In the left column, under `AWS Lambda`, click `Functions`.
+3. Under `Function name` click on the name of the function that you want to review
+4. Click Code tab
+5. In the Runtime settings section, check the Runtime attribute value to determine the runtime version.
+6. Compare the function runtime with the updated list of Amazon Lambda runtimes. Link is in the resource section.
+7. If the version you are using is not the latest or is on the EOL list, the selected Amazon Lambda function is using an old and deprecated runtime environment.
+8. Refer to the remediation below.
+9. Repeat steps 2-6 for each Lambda function within the current region.
+
+Then repeat the Audit process for all other regions.
+
+### Using AWS CLI
+
+1. Run `aws lambda list-functions`
+
+```bash
+aws lambda list-functions --output table --query 'Functions[*].FunctionName'
+```
+
+This command will provide a table titled ListFunctions
+
+2. Run `aws lambda get-function-configuration` using the Function names returned in the table.
+
+```bash
+aws lambda get-function-configuration --function-name "name_of_fuunction" --query 'Runtime'
+```
+
+3. The command output should return the execution environment.
+4. Compare the function runtime with the updated list of Amazon Lambda runtimes. Link is in the resource section.
+5. If the version you are using is not the latest or is on the EOL list, the selected Amazon Lambda function is using an old and deprecated runtime environment.
+6. Refer to the remediation below.
+
+## Expected Result
+
+All Lambda functions use supported runtime versions that are not deprecated or on the end-of-life (EOL) list.
+
+## Remediation
+
+### Using AWS Console
+
+1. Login to the AWS Console using https://console.aws.amazon.com/lambda/.
+2. In the left column, under `AWS Lambda`, click `Functions`.
+3. Under `Function name` click on the name of the function that you want to review
+4. Click Code tab
+5. Go to the Runtime settings section.
+6. Click Edit
+7. On the Edit runtime settings page, select the latest supported version of the runtime environment from the dropdown list.
+   \*\*Note - make sure the correct architecture is also selected.
+8. Click Save
+9. Select the Code tab
+10. Click Test from the Code source section.
+11. Once the testing is completed, the execution result of your Lambda function will be listed
+12. Repeat steps for each Lambda function that failed the Audit within the current region.
+
+### Using AWS CLI
+
+1. Run `aws lambda update-function-configuration` using the name of the Function you need to remediate
+
+```bash
+aws lambda update-function-configuration --output table --query 'Functions[*].FunctionName'
+```
+
+This command will provide a table titled ListFunctions
+
+2. Run `aws lambda get-function-configuration` using the Function names returned in the table.
+
+```bash
+aws lambda get-function-configuration --function-name "name_of_fuunction" --function-name "name_of_function" --runtime "python3.9"
+```
+
+3. The command output should return the metadata available for the reconfigured function.
+4. Repeat steps 1-2 to upgrade the runtime environment for each Amazon Lambda function found in the Audit.
+
+## Default Value
+
+Lambda functions use the runtime version specified at creation time. AWS does not automatically upgrade runtimes.
+
+## References
+
+1. https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html
+
+## CIS Controls
+
+| Controls Version | Control                                                                                                                                                                                                                                | IG 1 | IG 2 | IG 3 |
+| ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ---- | ---- |
+| v8               | 7.4 Perform Automated Application Patch Management - Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.                                                        | x    | x    | x    |
+| v7               | 3.5 Deploy Automated Software Patch Management Tools - Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor. | x    | x    | x    |
+
+## Profile
+
+Level 1 | Manual

package/skill/CIS_benchmarks/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-12.12/SKILL.md

@@ -0,0 +1,111 @@
+---
+name: cis-aws-compute-12.12
+description: "Ensure encryption in transit is enabled for Lambda environment variables"
+category: cis-compute
+version: "1.1.0"
+author: cyberstrike-official
+tags: [cis, aws, compute, lambda, serverless, encryption, transit, environment-variables, kms]
+cis_id: "12.12"
+cis_benchmark: "CIS AWS Compute Services Benchmark v1.1.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: [cis-aws-compute-12.3, cis-aws-compute-12.11]
+prerequisites: []
+severity_boost: {}
+---
+
+# Ensure encryption in transit is enabled for Lambda environment variables
+
+## Description
+
+As you can set your own environmental variables for Lambda it is important to also encrypt them for in transit protection.
+
+## Rationale
+
+Lambda environment variables should be encrypted in transit for client-side protection as they can store sensitive information.
+
+## Impact
+
+Enabling encryption in transit adds encryption overhead and may require updates to Lambda function code to decrypt environment variables at runtime.
+
+## Audit Procedure
+
+### Using AWS Console
+
+1. Login to the AWS Console using https://console.aws.amazon.com/lambda/.
+2. In the left column, under `AWS Lambda`, click `Functions`.
+3. Under `Function name` click on the name of the function that you want to review
+4. Click the Configuration tab
+5. In the left column, click `Environment variables`.
+6. In the `Environment variables` section, click `Edit`
+7. On the Edit environment variables page, review the Values. If they are a long value that resembles this:
+   AQICAHhxbKJYcFAU16CbU4IVpzi5CwK
+   Encryption is in place for that Key. If the value is in plain text refer to the remediation below.
+8. Repeat steps 2 - 7 for each Lambda function available in the current AWS region.
+9. Repeat this Audit for all the other AWS regions.
+
+### Using AWS CLI
+
+1. Run `aws lambda list-functions`
+
+```bash
+aws lambda list-functions --output table --query "Functions[*].FunctionName"
+```
+
+This command will provide a table titled ListFunctions
+
+2. Run `aws lambda get-function`
+
+```bash
+aws lambda get-function --function-name "name_of_function" --query "Configuration.Environment"
+```
+
+This will provide an output of the environment variables created for that function.
+
+3. Review the Values in the table. If they contain a long value that resembles this:
+   AQICAHhxbKJYcFAU16CbU4IVpzi5CwK. Encryption is in place for that Key. If the value is in plain text refer to the remediation below.
+4. Repeat steps 1 - 3 for each Lambda function listed in the current region.
+5. Repeat this Audit for all the other AWS regions.
+
+## Expected Result
+
+All Lambda function environment variable values are encrypted in transit (values appear as encrypted ciphertext rather than plain text).
+
+## Remediation
+
+### Using AWS Console
+
+1. Login to the AWS Console using https://console.aws.amazon.com/lambda/.
+2. In the left column, under `AWS Lambda`, click `Functions`.
+3. Under `Function name` click on the name of the function that you want to review
+4. Click the Configuration tab
+5. In the left column, click `Environment variables`.
+6. In the `Environment variables` section, click `Edit`
+7. Click the check box for `Enable helpers for encryption in transit`
+8. Click the `Encrypt` option for all the variable that need to be encrypted.
+9. Repeat steps 2 - 8 for each Lambda function identified in the Audit within the current AWS region.
+10. Repeat this remediation for all the other AWS regions.
+
+### Using AWS CLI
+
+N/A - This control is Console-based remediation only.
+
+## Default Value
+
+Lambda environment variables are encrypted at rest by default using AWS managed keys, but encryption in transit (client-side encryption) is not enabled by default.
+
+## References
+
+1. https://docs.aws.amazon.com/lambda/latest/dg/welcome.html
+
+## CIS Controls
+
+| Controls Version | Control                                                                                                                                                                                                                                                                                                                                                                                                                                                          | IG 1 | IG 2 | IG 3 |
+| ---------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ---- | ---- |
+| v8               | 3.10 Encrypt Sensitive Data in Transit - Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).                                                                                                                                                                                                                                                                                 |      | x    | x    |
+| v8               | 3.11 Encrypt Sensitive Data at Rest - Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. |      | x    | x    |
+| v7               | 10.4 Ensure Protection of Backups - Ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network. This includes remote backups and cloud services.                                                                                                                                                                                                                     | x    | x    | x    |
+
+## Profile
+
+Level 1 | Manual

package/skill/CIS_benchmarks/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-12.2/SKILL.md

@@ -0,0 +1,106 @@
+---
+name: cis-aws-compute-12.2
+description: "Ensure Cloudwatch Lambda insights is enabled"
+category: cis-compute
+version: "1.1.0"
+author: cyberstrike-official
+tags: [cis, aws, compute, lambda, serverless, cloudwatch, monitoring, insights]
+cis_id: "12.2"
+cis_benchmark: "CIS AWS Compute Services Benchmark v1.1.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: [cis-aws-compute-12.1, cis-aws-compute-12.7]
+prerequisites: []
+severity_boost: {}
+---
+
+# Ensure Cloudwatch Lambda insights is enabled
+
+## Description
+
+Ensure that Amazon CloudWatch Lambda Insights is enabled for your Amazon Lambda functions for enhanced monitoring.
+
+## Rationale
+
+Amazon CloudWatch Lambda Insights allows you to monitor, troubleshoot, and optimize your Lambda functions. The service collects system-level metrics and summarizes diagnostic information to help you identify issues with your Lambda functions and resolve them as soon as possible. CloudWatch Lambda Insights collects system-level metrics and emits a single performance log event for every invocation of that Lambda function.
+
+## Impact
+
+Enabling CloudWatch Lambda Insights may incur additional CloudWatch costs. When you enable the feature using the AWS Management Console, Amazon Lambda adds the required permissions to your function's execution role.
+
+## Audit Procedure
+
+### Using AWS Console
+
+1. Login to AWS Console using https://console.aws.amazon.com/lambda/
+2. Click `Functions`.
+3. Click on the name of the function.
+4. Click on the `Configuration tab`.
+5. Click on 'Monitoring and operations tools'.
+6. In the Monitoring and operations tools section check the `Enhanced monitoring`.
+7. If set to Not enabled, refer to the remediation below.
+8. Repeat steps 2-7 for each Lambda function within the current region.
+9. Then repeat the Audit process for all other regions.
+
+### Using AWS CLI
+
+1. Run `aws lambda list-functions`
+
+```bash
+aws lambda list-functions --output table --query "Functions[*].FunctionName"
+```
+
+This command will provide a table titled ListFunction
+
+2. Run `aws lambda get-function`
+
+```bash
+aws lambda get-function --function-name "name_of_function" --query "'Configuration.Layers[*].Arn"
+```
+
+This command should provide the requested ARN.
+
+3. If the list of ARNs does not contain the CloudWatch Lambda Insights extension ARN, i.e. `arn:aws:lambda:<aws-region>:12345678910:layer:LambdaInsightsExtension:<version>`, the Enhanced Monitoring feature is not enabled. Refer to the remediation below.
+
+## Expected Result
+
+Each Lambda function should have the CloudWatch Lambda Insights extension ARN listed in its layers, indicating Enhanced Monitoring is enabled.
+
+## Remediation
+
+### Using AWS Console
+
+1. Login to AWS Console using https://console.aws.amazon.com/lambda/
+2. Click `Functions`.
+3. Click on the name of the function.
+4. Click on the `Configuration tab`
+5. Click on 'Monitoring and operations tools'.
+6. In the Monitoring and operations tools section click `Edit` to update the monitoring configuration
+7. In the CloudWatch Lambda Insights section click the `Enhanced monitoring` button to enable.
+   \*\*\*Note - When you enable the feature using the AWS Management Console, Amazon Lambda adds the required permissions to your function's execution role.
+8. Click Save
+9. Repeat steps 2-8 for each Lambda function within the current region that fails the Audit.
+10. Then repeat the Audit process for all other regions.
+
+### Using AWS CLI
+
+N/A - This control is Console-based remediation only.
+
+## Default Value
+
+CloudWatch Lambda Insights is not enabled by default.
+
+## References
+
+1. https://docs.aws.amazon.com/lambda/latest/dg/welcome.html
+
+## CIS Controls
+
+| Controls Version | Control                                                                                                                                                         | IG 1 | IG 2 | IG 3 |
+| ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ---- | ---- |
+| v8               | 8.2 Collect Audit Logs - Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets. | x    | x    | x    |
+| v7               | 6.2 Activate audit logging - Ensure that local logging has been enabled on all systems and networking devices.                                                  | x    | x    | x    |
+
+## Profile
+
+Level 1 | Manual

package/skill/CIS_benchmarks/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-12.3/SKILL.md

@@ -0,0 +1,107 @@
+---
+name: cis-aws-compute-12.3
+description: "Ensure AWS Secrets manager is configured and being used by Lambda for databases"
+category: cis-compute
+version: "1.1.0"
+author: cyberstrike-official
+tags: [cis, aws, compute, lambda, serverless, secrets-manager, credentials, database]
+cis_id: "12.3"
+cis_benchmark: "CIS AWS Compute Services Benchmark v1.1.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: [cis-aws-compute-12.4, cis-aws-compute-12.12]
+prerequisites: []
+severity_boost: {}
+---
+
+# Ensure AWS Secrets manager is configured and being used by Lambda for databases
+
+## Description
+
+Lambda functions often have to access a database or other services within your environment.
+
+## Rationale
+
+Credentials used to access databases and other AWS Services need to be managed and regularly rotated to keep access into critical systems secure. Keeping any credentials and manually updating the passwords would be cumbersome, but AWS Secrets Manager allows you to manage and rotate passwords.
+
+## Impact
+
+Lambda code should be checked for correct configuration to get the credentials from AWS Secrets Manager. This audit and remediation is only to confirm you have the credentials in Secrets manager.
+
+## Audit Procedure
+
+### Using AWS Console
+
+1. Login to AWS Console using https://console.aws.amazon.com
+2. Click `All services`, click `Secrets Manager` under Security, Identity and Compliance.
+3. Click on `Secrets`.
+4. Review the secrets listed
+5. Confirm that the secret required for Lambda functions is included in the list.
+6. If it is, review your code and confirm that you are calling the credentials during runtime.
+7. If the credentials are not listed refer to the remediation below.
+8. Repeat steps 2-7 for all regions used.
+
+### Using AWS CLI
+
+N/A - This control is Console-based audit only.
+
+## Expected Result
+
+All database credentials used by Lambda functions are stored in AWS Secrets Manager and Lambda code retrieves credentials from Secrets Manager at runtime.
+
+## Remediation
+
+### Using AWS Console
+
+1. Login to AWS Console using https://console.aws.amazon.com
+2. Click `All services`, click `Secrets Manager` under Security, Identity and Compliance.
+3. Click on `Secrets`.
+4. Click on `Store a new secret`
+5. Select the `Secret type`
+6. Enter the information
+
+For the 3 db types listed enter the credentials and select the database.
+For `other database` enter the credentials, select the db type and enter the connection parameters.
+
+For `Other type of secret` (Lambda) create the keys and values used. - example Username yepyep Password yepyep
+Choose an encryption key or create a new one. If you add a new key it will take you to the KMS console. Once you create the new key you can then select it here.
+
+7. Click `Next`
+8. Give the secret a name associated with your organization style and lambda
+9. Click `Next`
+10. Configure the auto rotation
+
+```
+Rotation schedule leave as default
+Select the lambda function you use to rotate the key
+```
+
+11. Click `Next`
+12. Review all the settings
+13. Click `Store`
+
+### Using AWS CLI
+
+N/A - This control is Console-based remediation only.
+
+## Default Value
+
+AWS Secrets Manager is not configured by default for Lambda functions.
+
+## References
+
+1. https://aws.amazon.com/blogs/security/how-to-securely-provide-database-credentials-to-lambda-functions-by-using-aws-secrets-manager/
+2. https://docs.aws.amazon.com/lambda/latest/dg/welcome.html
+
+## CIS Controls
+
+| Controls Version | Control                                                                                                                                                                                                                                         | IG 1 | IG 2 | IG 3 |
+| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ---- | ---- |
+| v8               | 2.5 Allowlist Authorized Software - Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.                                     |      | x    | x    |
+| v8               | 3.3 Configure Data Access Control Lists - Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. | x    | x    | x    |
+| v7               | 1.7 Deploy Port Level Access Control - Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network.                                                                                 |      | x    | x    |
+| v7               | 4.2 Change Default Passwords - Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.                                                                                       | x    | x    | x    |
+
+## Profile
+
+Level 1 | Manual

package/skill/CIS_benchmarks/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-12.4/SKILL.md

@@ -0,0 +1,85 @@
+---
+name: cis-aws-compute-12.4
+description: "Ensure least privilege is used with Lambda function access"
+category: cis-compute
+version: "1.1.0"
+author: cyberstrike-official
+tags: [cis, aws, compute, lambda, serverless, iam, least-privilege, access-control]
+cis_id: "12.4"
+cis_benchmark: "CIS AWS Compute Services Benchmark v1.1.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: [cis-aws-compute-12.5, cis-aws-compute-12.6, cis-aws-compute-12.9, cis-aws-compute-12.10]
+prerequisites: []
+severity_boost: {}
+---
+
+# Ensure least privilege is used with Lambda function access
+
+## Description
+
+Lambda is fully integrated with IAM, allowing you to control precisely what each Lambda function can do within the AWS Cloud. As you develop a Lambda function, you expand the scope of this policy to enable access to other resources. For example, for a function that processes objects put into an S3 bucket, it requires read access to objects stored in that bucket. Do not grant the function broader permissions to write or delete data, or operate in other buckets.
+
+## Rationale
+
+You can use AWS Identity and Access Management (IAM) to manage access to the Lambda API and resources like functions and layers. For users and applications in your account that use Lambda, you manage permissions in a permissions policy that you can apply to IAM users, groups, or roles. To grant permissions to other accounts or AWS services that use your Lambda resources, you use a policy that applies to the resource itself.
+
+## Impact
+
+Determining the exact permissions required is a manual process and can be challenging, since IAM permissions are very granular and they control access to both the data plane and control plane.
+
+## Audit Procedure
+
+### Using AWS Console
+
+Determining the exact permissions required is a manual process and can be challenging, since IAM permissions are very granular and they control access to both the data plane and control plane.
+Please refer to the references section below for useful documentation on developing the correct IAM policies for Lambda.
+
+### Using AWS CLI
+
+N/A - This control requires manual review of IAM policies.
+
+## Expected Result
+
+Lambda functions have granular IAM permissions following the principle of least privilege, with access limited to only necessary resources and operations.
+
+## Remediation
+
+### Using AWS Console
+
+As building out the IAM permissions for Lambda here are some things to consider:
+
+- Set granular IAM permissions for Lambda functions.
+- Limit user access via IAM permissions to only necessary resources and operations.
+- Remove unused or outdated IAM Users, Roles and Permissions.
+- Periodically review and adjust IAM permissions.
+- Do not allow all-access permissions for Lambda functions as a short cut.
+
+### Using AWS CLI
+
+N/A - This control requires manual IAM policy review and adjustment.
+
+## Default Value
+
+Lambda functions are created with a basic execution role by default, but the exact permissions depend on the role configuration.
+
+## References
+
+1. https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html
+2. https://awspolicygen.s3.amazonaws.com/policygen.html
+3. https://policysim.aws.amazon.com/home/index.jsp?#
+4. https://github.com/aws-samples/aws-iamctl/
+5. https://docs.aws.amazon.com/lambda/latest/operatorguide/least-privilege-iam.html
+
+## CIS Controls
+
+| Controls Version | Control                                                                                                                                                                                                                                         | IG 1 | IG 2 | IG 3 |
+| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ---- | ---- |
+| v8               | 3.3 Configure Data Access Control Lists - Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. | x    | x    | x    |
+| v8               | 6.7 Centralize Access Control - Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.                                                                                               |      | x    | x    |
+| v7               | 1.7 Deploy Port Level Access Control - Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network.                                                                                 |      | x    | x    |
+| v7               | 7.8 Implement DMARC and Enable Receiver-Side Verification - To lower the chance of spoofed or modified emails from valid domains, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification.     |      | x    | x    |
+
+## Profile
+
+Level 1 | Manual