AWS securityhub documentation change
Summary
Removed sections about Lambda unsupported runtimes and IAM role assumption risks, and fixed broken link for code vulnerability reference
Security assessment
The change removes security guidance about deprecated runtimes (security update risks) and IAM role permissions (least privilege principle). While the removed content was security-related, there's no evidence this addresses a specific security incident - it appears to be documentation restructuring. The link fix is routine maintenance.
Diff
diff --git a/securityhub/latest/userguide/exposure-lambda-function.md b/securityhub/latest/userguide/exposure-lambda-function.md index da3673516..150f91bee 100644 --- a//securityhub/latest/userguide/exposure-lambda-function.md +++ b//securityhub/latest/userguide/exposure-lambda-function.md @@ -25,2 +24,0 @@ The remediation guidance provided in this topic might require additional consult - * [Lambda function is running an unsupported runtime](./exposure-lambda-function.html#function-runtimes) - @@ -29,2 +26,0 @@ The remediation guidance provided in this topic might require additional consult - * [The Lambda function is able to assume an IAM role](./exposure-lambda-function.html#aws-role-access-granted) - @@ -49 +45 @@ The remediation guidance provided in this topic might require additional consult - * [The Lambda function has code vulnerabilities](./exposure-lambda-function.html#lambda-code-vulnerability) + * [The Lambda function has code vulnerabilities](./exposure-lambda-function.html#code-vulnerability) @@ -58,8 +53,0 @@ Here are misconfiguration traits for Lambda functions and suggested remediation -### Lambda function is running an unsupported runtime - -Lambda allows developers to run code without provisioning or managing servers through runtimes that execute your code in a managed environment. Lambda automatically applies patches and security updates to managed runtimes and their corresponding container base images. When a runtime version is no longer supported, it no longer receives security updates, bug fixes, or technical support. Functions running on deprecated runtimes can have security vulnerabilities and may eventually stop working due to issues like certificate expiration. Additionally, unsupported runtimes may be vulnerable to newly discovered security exploits without available patches. Following security best practices, we recommend using patched, supported runtimes for Lambda functions. - -###### Upgrade function runtime - -In the **Resources** tab of the exposure, open the resource with the hyperlink. This will open the Lambda function window. To upgrade your function to a supported runtime, configure the runtime management configuration. You can choose to have your function automatically update to the latest runtime version, but before selecting this option, assess if automatic upgrades could impact your running applications. For more information, see [Understanding how Lambda manages runtime version updates](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html). - @@ -74,15 +61,0 @@ In the exposure finding, open the resource with the hyperlink. This will open th -### The Lambda function is able to assume an IAM role - -Lambda functions use IAM roles to interact with AWS services. These roles grant permissions for the Lambda function to access AWS resources during execution. While these roles are sometimes necessary for Lambda functions to perform their tasks, these roles should follow the principle of least privilege. Following standard security principles, AWS recommends that you review whether the permissions attached to the role are appropriate based on the function's intended functionality. - - 1. **Determine if attached IAM Role is required** - -Determine whether the Lambda function requires an IAM execution role to be configured. Most Lambda functions need basic permissions to operate, such as writing logs to CloudWatch. Review the permissions attached to the function's execution role and determine whether the IAM Role is required for the function. For information on Lambda execution roles, see [Defining Lambda function permissions with an execution role](https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html) in the _AWS Lambda Developer Guide_. - - 2. **Implement least privilege access** - -Replace overly permissive policies with those that grant only the specific permissions required for the function to operate. For information about security best practices for IAM roles, see [Apply least-privilege permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) in the _AWS Identity and Access Management User Guide_. To identify unnecessary permissions, you can use the IAM Access Analyzer to understand how to modify your policy based on access history. For more information, see [Findings for external and unused access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html) in the _AWS Identity and Access Management User Guide_. Alternatively, you can create a new IAM role to avoid impacting other Lambda functions that are using the existing role. In this scenario, create a new IAM role, then associate the new IAM role with the instance. For instructions on replacing an IAM role for a function, see [Update a function’s execution role](https://docs.aws.amazon.com/lambda/latest/dg/permissions-executionrole-update.html#update-execution-role) in the _AWS Lambda Developer Guide_. - - - -