Should They Have That Much Access?

According to The Hacker News, the first malware targeting AWS Lambda serverless functions was recently discovered. While positioned as a “first-of-its-kind,” its discovery wasn’t entirely surprising.?While this malware was described as “only” mining cryptocurrency, it could be used for more harmful activities as Lambda functions assume an AWS role and are often granted with permissions to access data, such as S3 buckets for input or output.

As researchers, including the Cado labs team that discovered the malware, continue to determine how the malware was deployed, all organizations should keep the following industry best practices in mind:

• Limit who can do what with Lambda functions to reduce the risk of malware deployment. As everything in AWS IAM policies, you should consider the principle of least privilege. Review who can perform operations on Lambda functions and what permissions they actually need (read/write/list).
• Assume breach and limit the blast radius by limiting the Lambda function’s permissions. A Lambda function's execution role is an AWS Identity and Access Management (IAM) role that grants the function permission to access AWS services and resources. Those roles are often designed by developers and include excessive permissions. For legitimate Lambda functions you can limit privileges to only what the function code actually needs. This can be done using code analysis to save developer time and help ensure true least privilege.

This discovery is a reminder of the importance of implementing least privilege controls and removing excessive permissions from cloud environments, including permissions related to managing Lambda functions and the IAM roles used by those functions.