AWS securityhub documentation change
Summary
Added two new security exposure types: 1) API Gateway without authorization for Lambda functions 2) Lambda function code vulnerabilities. Expanded documentation with detailed explanations and remediation steps for both risks. Adjusted heading levels for existing content.
Security assessment
The changes document security best practices for Lambda functions, specifically addressing authorization gaps in API Gateway integrations and code-level vulnerabilities. There's no evidence of addressing a specific security incident; rather, this is proactive security guidance. The additions describe security risks and provide mitigation steps, making this security documentation enhancement.
Diff
diff --git a/securityhub/latest/userguide/exposure-lambda-function.md b/securityhub/latest/userguide/exposure-lambda-function.md index 9c70af7a7..afb9719c4 100644 --- a//securityhub/latest/userguide/exposure-lambda-function.md +++ b//securityhub/latest/userguide/exposure-lambda-function.md @@ -5 +5 @@ -Misconfiguration traits for Lambda functionsReachability traits for Lambda functionsVulnerability traits for Lambda functionsThe Lambda function has malicious software packages +Misconfiguration traits for Lambda functionsReachability traits for Lambda functionsVulnerability traits for Lambda functions @@ -34,0 +35,2 @@ The remediation guidance provided in this topic might require additional consult + * [The Lambda function is accessible through API Gateway without authorization](./exposure-lambda-function.html#api-gateway-no-authorization) + @@ -46,0 +49,2 @@ The remediation guidance provided in this topic might require additional consult + * [The Lambda function has code vulnerabilities](./exposure-lambda-function.html#lambda-code-vulnerability) + @@ -134,0 +139,8 @@ If service-level administrative permissions are necessary for the instance, cons +### The Lambda function is accessible through API Gateway without authorization + +API Gateway methods without authorization allow any caller with access to the API Gateway to invoke the integrated Lambda function without identity verification. This configuration creates security risks, as callers can invoke the Lambda function without proper authorization, potentially leading to abuse of function capabilities, resource consumption, access to sensitive data, or unauthorized operations. While API Gateway may have network-level access controls, the lack of method-level authorization could allow free invocation of the function by any caller with network access to the API Gateway. Following security best practices, AWS recommends implementing appropriate authorization mechanisms for API Gateway methods that integrate with Lambda functions. + +###### Configure API Gateway authentication + +In the **Resources** tab of the exposure, click on the **Open resource** hyperlink to access the API Gateway method. Review the current authorization configuration and implement appropriate authentication mechanisms. API Gateway supports several authentication options including AWS IAM, Amazon Cognito User Pools, Lambda authorizers, and API keys. Choose the authentication method that best fits your security requirements and use case. For detailed instructions on configuring authentication, see [Controlling and managing access to a REST API in API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html) in the _API Gateway Developer Guide_. + @@ -167 +179 @@ Review the **References** section in the **Vulnerability** tab for the trait. Ve -## The Lambda function has malicious software packages +### The Lambda function has malicious software packages @@ -174,0 +187,8 @@ Review the malicious package details in the **References** section of the **Vuln +### The Lambda function has code vulnerabilities + +Lambda function application code contains security vulnerabilities that could be exploited by threat actors. Code vulnerabilities include data leaks, injection flaws, missing encryption, and weak cryptography that are identified through automated code analysis. These vulnerabilities pose security risks to your AWS environment, as attackers can exploit them to compromise the confidentiality, integrity, or availability of data, or to access other systems. Code vulnerabilities represent security weaknesses that could be chained together with other attack vectors to compromise your function. Following security best practices, AWS recommends addressing these code vulnerabilities to protect your function from attack. + +###### Update affected functions + +Review the **References** section in the **Vulnerability** tab of the trait. Amazon Inspector findings may include specific remediation guidance and code snippets showing the vulnerable code locations. Address the identified security issues in your function code using the provided plug-and-play code blocks or by implementing secure coding practices. Always review code remediation suggestions before adopting them, as you might need to edit them to ensure your code performs as intended. After fixing the vulnerabilities, update the Lambda function code to use the corrected version. For instructions, see [Updating function code](https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-zip.html#configuration-function-update) in the _AWS Lambda Developer Guide_. Afterwards, deploy the updated version. For instructions, see [Deploying Lambda functions as .zip file archives](https://docs.aws.amazon.com/lambda/latest/dg/configuration-function-zip.html) for .zip file archives or [Create a Lambda function using a container image](https://docs.aws.amazon.com/lambda/latest/dg/images-create.html) for container images. For more information about Amazon Inspector code scanning, see [Amazon Inspector Lambda code scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning_resources_lambda_code.html) in the _Amazon Inspector User Guide_. +