avatarTeri Radichel

Summary

Teri Radichel explains how to restrict access to AWS Lambda function invocations to a specific IP address using a Service Control Policy within an Organizational Unit, demonstrating the process with examples and screenshots.

Abstract

In a recent post, Teri Radichel delves into the application of AWS Service Control Policies to limit the ability to invoke Lambda functions to a designated IP address. This approach enhances security by ensuring that only requests originating from the specified IP can trigger Lambda functions within the Sandbox Organizational Unit. Radichel provides a step-by-step guide, which includes deploying an example policy with an incorrect IP address to illustrate the restriction's effectiveness and then updating it to the correct IP address to allow function execution. The guide also addresses the need to consider console access restrictions and hints at future exploration into restricting access to private IP ranges within a specific AWS account. Radichel's work is part of a broader series on automating cybersecurity metrics and is complemented by her expertise, recognition in the field, and offerings through her company, 2nd Sight Lab.

Opinions

  • Radichel emphasizes the importance of network restrictions for securing AWS Lambda functions, suggesting that VPC configurations may not always suffice.
  • She advocates for the use of Service Control Policies as a method of governance, setting security controls at the organizational level within AWS.
  • Radichel highlights the effectiveness of her approach by showing a failed function invocation attempt when the incorrect IP address is specified, reinforcing the policy's role in access control.
  • She points out that restricting Lambda access via these policies also affects AWS Management Console access, requiring additional considerations for administrative tasks.
  • Radichel's commitment to sharing knowledge is evident through her series on cybersecurity metrics, her previous posts on related topics, and her encouragement for readers to follow her work for updates on future explorations in AWS security.

Restricting Access to Invoke Lambda Functions to an IP Range in a Service Control Policy

ACM.312 Applying a policy to an OU to restrict Lambda actions to a specific Public IP address

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Lambda | Container Security | Application Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post I explained some of the limitations when trying to create network restrictions to limit who can invoke an AWS Lambda function.

In this post I’ll deploy a Service Control Policy that limits access to invoke functions in the Sandbox Organizational Unit to a specific IP address.

Here’s an example:

First I deploy a policy with the incorrect IP address called RestictInvokeLambdaSandbox.yaml.

I’m using my common deployment mechanism described in earlier posts.

Next I can run my invoke script from prior posts to see if I can execute the function. No. It fails. Good.

Now change the IP address to my EC2 instance IP address.

Now change the IP address to the correct IP address and it works.

Note that I’ve restricted all Lambda access above. That means I’ve limited console access as well.

You’ll need to allow all IP addresses for the console actions or limit the policy to the Invoke action if you only want invocation from that specific IP or range.

What if we want to restrict access to a private IP range in a specific AWS account? I’m going to try that out in the next post.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Lambda
Service Control Policy
Network
Security
Invoke
Recommended from ReadMedium
avatarRaviteja Mureboina
Safeguarding Your AWS Environment with Amazon GuardDuty: A Comprehensive Overview

In today’s digital landscape, ensuring the security of your AWS (Amazon Web Services) environment is paramount. With the ever-evolving…

4 min read
avatarMina Knows
I’m Learning How to Use Substack: Here is How I F*&cked Up Already.

Tips on how to avoid mistakes and do it right the first time.

3 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarRaphael Yoshiga
Why TDD is a waste of time

Discover the Test-Driven-Development flaws and how to develop instead

3 min read
avatarIan Barwise
Security Obscurity-9.19_Compliance != Security

*Note: This article was originally published by the author on September 29, 2019. It is republished here by the author for archival…

10 min read
avatarJoseph Goins
AWS Security Automation with Lambda: 3 Practical Use Cases

Introduction

3 min read