npm - @cyberstrike-io/cyberstrike - Versions diffs - 1.1.9 → 1.1.10-beta.1 - Mend

@cyberstrike-io/cyberstrike 1.1.9 → 1.1.10-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (568) hide show

package/skill/CIS_benchmarks/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-12.5/SKILL.md ADDED Viewed

@@ -0,0 +1,102 @@
+---
+name: cis-aws-compute-12.5
+description: "Ensure every Lambda function has its own IAM Role"
+category: cis-compute
+version: "1.1.0"
+author: cyberstrike-official
+tags: [cis, aws, compute, lambda, serverless, iam, execution-role, least-privilege]
+cis_id: "12.5"
+cis_benchmark: "CIS AWS Compute Services Benchmark v1.1.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: [cis-aws-compute-12.4, cis-aws-compute-12.7, cis-aws-compute-12.9]
+prerequisites: []
+severity_boost: {}
+---
+# Ensure every Lambda function has its own IAM Role
+## Description
+Every Lambda function should have a one to one IAM execution role and the roles should not be shared between functions.
+## Rationale
+The Principle of Least Privilege means that any Lambda function should have the minimal amount of access required to perform its tasks. In order to accomplish this Lambda functions should not share IAM Execution roles.
+## Impact
+Creating unique IAM roles for each Lambda function increases the number of IAM roles to manage but provides better security isolation between functions.
+## Audit Procedure
+### Using AWS Console
+1. Login to the AWS console using https://console.aws.amazon.com/lambda/
+2. In the left column, under `AWS Lambda`, click `Functions`.
+3. Under `Function name` click on the name of the function that you want to review.
+4. Click the `Configuration` tab
+5. Under General configuration on the left column, click `Permissions`.
+6. Under the `Execution role` section, `Role name` not the name listed as this is the IAM is the role that defines the access permissions for the selected function.
+7. Repeat steps 2 - 6 for all the Lambda functions listed within the AWS region.
+8. If any Lambda functions share the same Execution role, refer to the remediation below.
+9. Repeat this Audit for all the AWS Regions.
+### Using AWS CLI
+N/A - This control is Console-based audit only.
+## Expected Result
+Each Lambda function has a unique IAM execution role that is not shared with any other Lambda function.
+## Remediation
+### Using AWS Console
+1. Login to the AWS console using https://console.aws.amazon.com/lambda/
+2. In the left column, under `AWS Lambda`, click `Functions`.
+3. Under `Function name` click on the name of the function that you want to change/update.
+4. Click the `Configuration` tab
+5. Under General configuration on the left column, click `Permissions`.
+6. Under the `Execution role` section, click `Edit`.
+7. Scroll down to `Execution role`
+**To use an existing IAM role:**
+- Click `Use an existing role`
+- Select the role from the `Existing role` dropdown.
+- The IAM role can't be associated with another Lambda function and must follow the Principle of Least Privilege.
+**To use a new IAM role:**
+- Click `Create a new role from AWS policy templates`
+- Provide a unique name based on company policy in the `Role name`
+- Select the policy templates from the `Policy templates` dropdown.
+8. Click `Save`
+9. Repeat steps 2 - 8 for all the Lambda functions listed within the AWS region that do not have a unique IAM Execution Role.
+10. Repeat this remediation process for all the AWS Regions.
+### Using AWS CLI
+N/A - This control is Console-based remediation only.
+## Default Value
+When creating a Lambda function, AWS creates a default execution role, but multiple functions can be configured to share the same role.
+## References
+1. https://docs.aws.amazon.com/lambda/latest/dg/welcome.html
+## CIS Controls
+| Controls Version | Control                                                                                                                                                                                                                                                                                                                                                                                | IG 1 | IG 2 | IG 3 |
+| ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ---- | ---- |
+| v8               | 3.3 Configure Data Access Control Lists - Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.                                                                                                                                        | x    | x    | x    |
+| v7               | 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies - Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables. |      | x    | x    |
+## Profile
+Level 1 | Manual

package/skill/CIS_benchmarks/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-12.6/SKILL.md ADDED Viewed

@@ -0,0 +1,134 @@
+---
+name: cis-aws-compute-12.6
+description: "Ensure Lambda functions are not exposed to everyone"
+category: cis-compute
+version: "1.1.0"
+author: cyberstrike-official
+tags: [cis, aws, compute, lambda, serverless, public-access, permissions, resource-policy]
+cis_id: "12.6"
+cis_benchmark: "CIS AWS Compute Services Benchmark v1.1.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: [cis-aws-compute-12.4, cis-aws-compute-12.9, cis-aws-compute-12.10]
+prerequisites: []
+severity_boost: {}
+---
+# Ensure Lambda functions are not exposed to everyone
+## Description
+A publicly accessible Amazon Lambda function is open to the public and can be reviewed by anyone. To protect against unauthorized users that are sending requests to invoke these functions they need to be changed so they are not exposed to the public.
+## Rationale
+Allowing anyone to invoke and run your Amazon Lambda functions can lead to data exposure, data loss, and unexpected charges on your AWS bill.
+## Impact
+Restricting public access may break existing integrations that rely on anonymous invocation of Lambda functions.
+## Audit Procedure
+### Using AWS Console
+1. Login to the AWS Console using https://console.aws.amazon.com/lambda/.
+2. In the left column, under `AWS Lambda`, click `Functions`.
+3. Under `Function name` click on the name of the function that you want to review
+4. Click the Configuration tab
+5. In the left column, click `Permissions`.
+6. In the `Resource-based policy` section, click `View policy document`
+7. Review the Resource-based policy document box. Find the "Principal" element defined for each policy statement and check the element value. If the element has one of the following values: "" or { "AWS": "" }, it means it is set to "Allow", and if it does not contain a "Condition" clause to filter the access, the selected Amazon Lambda function is set to anonymous access.
+8. If any of the Lambda functions have anonymous access set refer to the remediation below.
+9. Repeat steps 2 - 7 for each Lambda function available within the current AWS region.
+10. Repeat this Audit for all the other AWS regions.
+### Using AWS CLI
+1. Run `aws lambda list-functions`
+```bash
+aws lambda list-functions --output table --query "Functions[*].FunctionName"
+```
+This command will provide a table titled ListFunctions
+2. Run `aws lambda get-policy`
+```bash
+aws lambda get-policy --function-name "name_of_function" --output text --query "Policy"
+```
+This will provide an output of the policy assigned to that function.
+3. Find the "Principal" element defined for that function. If the element has one of the following values: "" or { "AWS": "" }, it means it is set to "Allow", and if it does not contain a "Condition" clause to filter the access, the selected Amazon Lambda function is set to anonymous access.
+4. Make note of the Function name from step 1 and the Statement name from step 2 and refer to the remediation steps below.
+5. Repeat steps 1 - 3 for each Lambda function listed within the current region.
+6. Repeat this Audit for all the other AWS regions.
+## Expected Result
+No Lambda function has a resource-based policy that allows anonymous or public access (Principal set to "_" or {"AWS": "_"} without a Condition clause).
+## Remediation
+### Using AWS Console
+1. Login to the AWS Console using https://console.aws.amazon.com/lambda/.
+2. In the left column, under `AWS Lambda`, click `Functions`.
+3. Under `Function name` click on the name of the function that you want to review
+4. Click the Configuration tab
+5. In the left column, click `Permissions`.
+6. In the `Resource-based policy` section, perform the following actions:
+   - Under Policy statements
+   - Select the policy statement that allows anonymous access
+   - Click Delete to remove the non-compliant statement from the resource-based policy attached
+   - Within the Delete statement confirmation box, click Remove
+   - Click Add permissions to add a new policy statement that grants permissions to a trusted entity only.
+   - On the Add permissions page configure the new policy statement to grant access to another AWS account, IAM user, IAM role, or to another AWS service.
+   - Click Save
+7. Repeat steps no. 2 - 6 for each Lambda function that fails the Audit above, within the current region.
+8. Repeat this Audit for all the other AWS regions.
+### Using AWS CLI
+1. Run `aws lambda remove-permission`
+```bash
+aws lambda remove-permission --function-name "name_of_function" --statement-id "SID_of_Statement"
+```
+This command will remove the access policy that is failing the audit for that function.
+2. Run `aws lambda add-permission`
+```bash
+aws lambda add-permission --function-name "name_of_function" --statement-id "correctaccess" --principal "012345678910" --action lambda:InvokeFunction
+```
+This adds a new policy to the function.
+\*\*\*Note The --principal parameter can be the ID of the trusted AWS account, another AWS account, IAM user, IAM role, or another AWS service.
+3. The command output should display the new policy created.
+4. Repeat steps 1-2 for each Lambda function from the audit for all regions.
+## Default Value
+Lambda functions are not publicly accessible by default. Public access requires explicit configuration of resource-based policies.
+## References
+1. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/index.html
+## CIS Controls
+| Controls Version | Control                                                                                                                                                                                                                                                           | IG 1 | IG 2 | IG 3 |
+| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ---- | ---- |
+| v8               | 1.2 Address Unauthorized Assets - Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset. | x    | x    | x    |
+| v7               | 1.6 Address Unauthorized Assets - Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner.                                                                                                | x    | x    | x    |
+| v7               | 2.6 Address unapproved software - Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.                                                                                                                             | x    | x    | x    |
+## Profile
+Level 1 | Manual

package/skill/CIS_benchmarks/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-12.7/SKILL.md ADDED Viewed

@@ -0,0 +1,140 @@
+---
+name: cis-aws-compute-12.7
+description: "Ensure Lambda functions are referencing active execution roles"
+category: cis-compute
+version: "1.1.0"
+author: cyberstrike-official
+tags: [cis, aws, compute, lambda, serverless, iam, execution-role, active-role]
+cis_id: "12.7"
+cis_benchmark: "CIS AWS Compute Services Benchmark v1.1.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: [cis-aws-compute-12.4, cis-aws-compute-12.5, cis-aws-compute-12.9]
+prerequisites: []
+severity_boost: {}
+---
+# Ensure Lambda functions are referencing active execution roles
+## Description
+In order to have the necessary permissions to access the AWS cloud services and resources Amazon Lambda functions should be associated with active(available) execution roles.
+## Rationale
+A Lambda function's execution role is an Identity and Access Management (IAM) role that grants the function permission to process and access specific AWS services and resources. When Amazon Lambda functions are not referencing active execution roles, the functions are losing the ability to perform critical operations securely.
+## Impact
+Functions referencing inactive or deleted execution roles will fail to execute properly, potentially causing service disruptions.
+## Audit Procedure
+### Using AWS Console
+1. Login to the AWS Console using https://console.aws.amazon.com/lambda/.
+2. In the left column, under `AWS Lambda`, click `Functions`.
+3. Under `Function name` click on the name of the function that you want to review
+4. Click the Configuration tab
+5. In the left column, click `Permissions`.
+6. In the `Resource summary` section, if it reads "The role with name <role_name> cannot be found. (Service: LambdaConsole; Status Code: 404; Error Code: NoSuchEntity; Request ID: e3f12a73-2988-4dd5-b2d1-237c800a27f4; Proxy: null) refer to the remediation below.
+7. Repeat steps 2 - 6 for each Lambda function available within the current AWS region.
+8. Repeat this Audit for all the other AWS regions.
+### Using AWS CLI
+1. Run `aws lambda list-functions`
+```bash
+aws lambda list-functions --output table --query "Functions[*].FunctionName"
+```
+This command will provide a table titled ListFunctions
+2. Run `aws lambda get-function`
+```bash
+aws lambda get-function --function-name "name_of_function" --query "Configuration.Role"
+```
+This will provide an output returning the role ARN assigned to that function.
+3. Run `aws iam get-role`
+```bash
+aws iam get-role --role-name "name_of_role"
+```
+This will return the requested configuration information.
+4. The command output should return the requested configuration information.
+5. If the command output returns a `An error occurred (NoSuchEntity) when calling the GetRole operation` error message instead of the role's configuration, the execution role associated with the selected Lambda function is no longer available. Refer to the remediation below.
+6. Repeat steps 1-5 for each Lambda function available in the selected AWS region.
+Perform the Audit process for other regions.
+## Expected Result
+All Lambda functions reference active, existing IAM execution roles. The `aws iam get-role` command returns valid role configuration for each referenced role.
+## Remediation
+### Using AWS Console
+1. Login to the AWS Console using https://console.aws.amazon.com/lambda/.
+2. In the left column, under `AWS Lambda`, click `Functions`.
+3. Under `Function name` click on the name of the function that you want to update.
+4. Click the Configuration tab
+5. In the left column, click `Permissions`.
+6. In the `Execution role` section, click Edit
+7. In the `Edit basic settings` page, perform one of the following actions:
+**To use an existing role:**
+- Click Use an existing role if you already a execution role for the selected Lambda function.
+- Select the IAM role from the `Existing role` dropdown list.
+- Click Save.
+**Or to create a custom role:**
+- Click To create a custom role, go to the `IAM console`.
+- Click AWS Service
+- Click `Lambda`.
+- Click `Next: Permissions`
+- Attach the permission policies needed
+- Click Next: Tags
+- Add tags (optional) based on your Organizational policy
+- Click Next: Review
+- Enter a Role name and a Role description so you can attach the policy to the Lambda function
+- Click `Create role`
+- Refresh the Edit basic settings page
+- Select the new IAM role you just created from the `Existing role` dropdown list.
+- Click Save.
+8. Repeat steps 2 - 7 to update the execution role for each misconfigured Amazon Lambda function within the current AWS region.
+9. Repeat this Audit for all the other AWS regions.
+### Using AWS CLI
+N/A - This control is Console-based remediation only.
+## Default Value
+Lambda functions are created with valid execution roles, but roles may be deleted independently of the function.
+## References
+1. https://docs.aws.amazon.com/lambda/latest/dg/welcome.html
+## CIS Controls
+| Controls Version | Control                                                                                                                                                                                                                                         | IG 1 | IG 2 | IG 3 |
+| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ---- | ---- |
+| v8               | 3.3 Configure Data Access Control Lists - Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications. | x    | x    | x    |
+| v7               | 1.7 Deploy Port Level Access Control - Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network.                                                                                 |      | x    | x    |
+| v7               | 14.6 Protect Information through Access Control Lists - Protect all information stored on systems with file system, network share, claims, application, or database specific access control lists.                                              | x    | x    | x    |
+| v7               | 14.7 Enforce Access Control to Data through Automated Tools - Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data even when data is copied off a system.                                         |      |      | x    |
+## Profile
+Level 1 | Manual

package/skill/CIS_benchmarks/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-12.8/SKILL.md ADDED Viewed

@@ -0,0 +1,142 @@
+---
+name: cis-aws-compute-12.8
+description: "Ensure that Code Signing is enabled for Lambda functions"
+category: cis-compute
+version: "1.1.0"
+author: cyberstrike-official
+tags: [cis, aws, compute, lambda, serverless, code-signing, integrity, supply-chain]
+cis_id: "12.8"
+cis_benchmark: "CIS AWS Compute Services Benchmark v1.1.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: [cis-aws-compute-12.9, cis-aws-compute-12.11]
+prerequisites: []
+severity_boost: {}
+---
+# Ensure that Code Signing is enabled for Lambda functions
+## Description
+Ensure that all your Amazon Lambda functions are configured to use the Code Signing feature in order to restrict the deployment of unverified code.
+## Rationale
+Code Signing, ensures that the function code is signed by an approved (trusted) source, and that it has not been altered since signing, and that the code signature has not expired or been revoked.
+## Impact
+Enabling code signing adds an additional step to the deployment process. All code packages must be signed before deployment, which may slow down CI/CD pipelines.
+## Audit Procedure
+### Using AWS Console
+1. Login to the AWS console using https://console.aws.amazon.com/lambda/
+2. In the left column, under `AWS Lambda`, click `Functions`.
+3. Under `Function name` click on the name of the function that you want to review.
+4. Click the `Configuration` tab
+5. Under General configuration on the left column, click `Code signing`.
+6. Under the `Code signing configuration` section check for any code signing configurations created for the function.
+7. If there are no code signing configurations available or listed is not enabled, refer to the remediation.
+8. Repeat steps 2-7 for each Lambda function within the current region.
+9. Then repeat the Audit process for all other regions.
+### Using AWS CLI
+1. Run `aws lambda list-functions`
+```bash
+aws lambda list-functions --output table --query "Functions[*].FunctionName"
+```
+This command will provide a table titled ListFunctions
+2. Run `aws lambda get-function-code-signing-config`
+```bash
+aws lambda get-function-code-signing-config --function-name "name_of_function" --query "CodeSigningConfigArn"
+```
+3. The command output should return an array with the requested ARN(s).
+4. If the get-function-code-signing-config command output returns null, there are no code signing configurations for the Lambda function.
+5. Refer to the remediation below.
+6. Repeat step 2-5 for each Lambda function available in the selected AWS region.
+7. Perform the Audit process for all other regions used.
+## Expected Result
+Each Lambda function has a code signing configuration with a valid CodeSigningConfigArn associated.
+## Remediation
+### Using AWS Console
+1. Login to the AWS console using https://console.aws.amazon.com/signer
+2. Click on `Create Signing Profile` if none are set up. If you already have some created in the left panel click on `Signing Profiles`, `Create Signing Profile`.
+   \*\*\*Note a Signing Profile is a trusted publisher and is analogous to the use of a digital signing certificate to generate signatures for your application code.
+3. On the `Create Signing Profile` setup page provide:
+   - Profile name
+   - Specify the Signature Validity period (6 months up to 12 months is recommended)
+4. Click on `Create Profile`
+5. Go to the Amazon Lambda console https://console.aws.amazon.com/lambda/.
+6. In the left panel, under Additional resources, click on `Code signing configurations`.
+7. Click on `Create configuration`
+8. On the `Create code signing configuration` setup page:
+   - Description box - provide a short description to identify this configuration
+   - Click inside the `Signing profile version ARN` box and select the Signing Profile created above.
+   - For `Signature validation policy`, click the signature validation policy suitable for your Lambda function.
+     \*\*Note - A signature check can fail if the code is not signed by an allowed Signing Profile, or if the signature has expired or has been revoked.
+   - Click Enforce - blocking the deployment of the code and also issue a warning.
+   - Click `Create configuration`
+9. Go to the Amazon Lambda console https://console.aws.amazon.com/lambda/.
+10. Click Functions.
+11. Under Function name click on the name of the function that you want to review
+12. Click the Configuration tab
+13. In the left menu click Code signing.
+14. Click Edit
+15. On the `Edit code signing`, select the code signing configuration created above from the drop down
+16. Click `Save`
+The Lambda function is now configured to use code signing.
+17. Next Upload a signed .zip file or provide an S3 URL of a signed .zip made by a signing job in AWS Signer.
+18. To start a signing job, go to AWS Signer console at https://console.aws.amazon.com/signer.
+19. In the left panel, click on Signing Jobs.
+20. Start a Signing Job to generate a signature for your code package and place the signed code package in the specified destination path.
+21. Start Signing Job setup page:
+    - Select the Signing Profile created in dropdown list.
+    - Code asset source location, specify the Amazon S3 location of the code package (.zip file) to be signed. Only S3 buckets available in the current region are displayed and can be used.
+    - Signature destination path with prefix where the signed code package should be uploaded.
+    - Start Job to deploy your new Signing Job
+    - Job status reads Succeeded, you can find the signed .zip package in your assigned S3 bucket.
+22. Publish the signed code package to the selected Lambda function.
+23. Amazon Lambda will perform signature checks to verify that the code has not been altered since signing.
+    \*\*Note - The service verifies if the code is signed by one of the allowed signing profiles available.
+24. Repeat steps for each Lambda function that was captured in the Audit.
+### Using AWS CLI
+N/A - This control is Console-based remediation only.
+## Default Value
+Code Signing is not enabled by default for Lambda functions.
+## References
+1. https://docs.aws.amazon.com/lambda/latest/dg/welcome.html
+2. https://console.aws.amazon.com/signer
+## CIS Controls
+| Controls Version | Control                                                                                                                                                                                                                                                                                                  | IG 1 | IG 2 | IG 3 |
+| ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ---- | ---- |
+| v8               | 2.7 Allowlist Authorized Scripts - Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently. |      |      | x    |
+| v8               | 10.2 Configure Automatic Anti-Malware Signature Updates - Configure automatic updates for anti-malware signature files on all enterprise assets.                                                                                                                                                         | x    | x    | x    |
+| v7               | 5.3 Securely Store Master Images - Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible.                                                                                   |      | x    | x    |
+| v7               | 8.2 Ensure Anti-Malware Software and Signatures are Updated - Ensure that the organization's anti-malware software updates its scanning engine and signature database on a regular basis.                                                                                                                | x    | x    | x    |
+## Profile
+Level 1 | Manual

package/skill/CIS_benchmarks/AWS/CIS_AWS_Compute_Services_Benchmark_v1.1.0/cis-aws-compute-12.9/SKILL.md ADDED Viewed

@@ -0,0 +1,110 @@
+---
+name: cis-aws-compute-12.9
+description: "Ensure there are no Lambda functions with admin privileges within your AWS account"
+category: cis-compute
+version: "1.1.0"
+author: cyberstrike-official
+tags: [cis, aws, compute, lambda, serverless, iam, admin-privileges, least-privilege, over-permission]
+cis_id: "12.9"
+cis_benchmark: "CIS AWS Compute Services Benchmark v1.1.0"
+tech_stack: [aws]
+cwe_ids: []
+chains_with: [cis-aws-compute-12.4, cis-aws-compute-12.5, cis-aws-compute-12.10]
+prerequisites: []
+severity_boost: {}
+---
+# Ensure there are no Lambda functions with admin privileges within your AWS account
+## Description
+Ensure that your Amazon Lambda functions don't have administrative permissions potentially giving the function access to all AWS cloud services and resources.
+## Rationale
+In order to promote the Principle of Least Privilege (POLP) and provide your functions the minimal amount of access required to perform their tasks the right IAM execution role associated with the function should be used. Instead of providing administrative permissions you should grant the role the necessary permissions that the function really needs.
+## Impact
+Removing admin privileges from Lambda execution roles may break functions that rely on broad permissions. Functions should be tested after permission changes.
+## Audit Procedure
+### Using AWS Console
+1. Login in to the AWS Console using https://console.aws.amazon.com/lambda/
+2. In the left column, under `AWS Lambda`, click `Functions`.
+3. Under `Function name` click on the name of the function that you want to review
+4. Click the Configuration tab
+5. Click on `Permissions` in the left column.
+6. In the Execution role section, click the `Role name` to access the IAM role details.
+   \*\*Note this will bring you to the IAM Console.
+7. Select the Permissions tab to view the identity-based policies attached
+8. In the Permissions policies section click on the Policy name.
+9. Select the Permissions tab.
+   \*\*Note The policy summary should show below in JSON format.
+10. Within the {} JSON policy, identify the "Action" element defined for each statement and check the value.
+11. If any of the "Action" element values are set to "\*" and the "Effect" element is set to "Allow", the role policy provides access to all the supported AWS cloud services and resources.
+12. Repeat this step for each IAM policy attached to the selected execution role.
+If one or more policies allow access to all AWS services and resources, the execution role provides administrative permissions. Refer to the remediation below.
+Repeat steps for each Lambda function within the current region.
+Then repeat the Audit process for all other regions.
+### Using AWS CLI
+N/A - This control requires manual review of IAM policies through the Console.
+## Expected Result
+No Lambda function execution role has policies with "Action": "\*" and "Effect": "Allow", ensuring no function has administrative privileges.
+## Remediation
+### Using AWS Console
+1. Login in to the AWS Console using https://console.aws.amazon.com/lambda/
+2. In the left column, under `AWS Lambda`, click `Functions`.
+3. Under `Function name` click on the name of the function you want to remediate
+4. Click the Configuration tab
+5. Click on `Permissions` in the left column.
+6. In the Execution role section, click the `Edit`
+7. Edit basic settings configuration page:
+**Associate the function with an existing, compliant IAM role:**
+- click Use an existing role from the Execution role
+- select the required role from the Existing role dropdown
+- click Save
+**OR apply a new execution role to your Lambda function:**
+- click Create a new role from AWS policy templates
+- Provide a name for the new role based on org policy
+- select only the necessary permission set(s) from the Policy templates - optional dropdown list.
+- click Save
+8. Repeat steps for each Lambda function within the current region that failed the Audit.
+### Using AWS CLI
+N/A - This control is Console-based remediation only.
+## Default Value
+Lambda functions are not created with administrative privileges by default, but users may attach overly permissive policies to execution roles.
+## References
+1. https://docs.aws.amazon.com/lambda/latest/dg/welcome.html
+## CIS Controls
+| Controls Version | Control                                                                                                                                                                                                                                                                                                                                                                                                                      | IG 1 | IG 2 | IG 3 |
+| ---------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ---- | ---- |
+| v8               | 6.8 Define and Maintain Role-Based Access Control - Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently. |      |      | x    |
+| v7               | 1.7 Deploy Port Level Access Control - Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network.                                                                                                                                                                                                                                                              |      | x    | x    |
+## Profile
+Level 1 | Manual