OM-BP-0015: Grant access to Serverless Computing functions via RBAC and apply least privilege (Best Practice)
ID | OM-BP-0015 |
|---|---|
Name | Grant access to Serverless Computing functions via RBAC and apply least privilege |
Status | Active |
Version |
|
Best Practice | Assign each function a role and grant accesses only to that role using the least privilege principle. |
Rationale
Ephemeral functions may be compromised and become a stepping stone for lateral movement.
Bad Practices
Grant directly accesses to ephemeral functions
Do not limit those accesses to the minimum required
Implementation Details
Quotes
The primary mechanisms made available by cloud providers for mitigating these threats are role-based access controls (RBAC), known as Identity and Access Management (IAM) roles in the popular Amazon Lambda service [38]. Using IAM, cloud customers can statically assign each function to a role that is associated with a set of permissions for accessing other functions, datastores, or the open Internet. Accepting the reality that exploitable vulnerabilities will continue to exist in the serverless landscape, strict IAM roles can be configured such that functions are restricted to communicating only with those components necessary to fulfill their task, thus reducing overprivilege. Unfortunately, there is already ample evidence that static RBAC alone is insufficient; not only are IAM roles often misconfigured [4, 19], but even when correctly defined, attackers are able to leverage legitimate function transitions to move laterally through the application in advancement of their goals [10, 64, 71].
(Sankaran et al., 2020, p. 1-2)
Bibliography
Related Best Practices
N/A
Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.
This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.
