k9 Security now summarizes principals’ access to the Lambda APIs. k9 reports whether IAM principals may administer Lambda function configurations or use your deployed Lambda functions. AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers.

If you’re wondering which IAM principals can administer or run code with Lambda, k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM users and roles can use Lambda APIs and maps each principal’s access to a k9 access capability.

Here’s an example of how Lambda access is summarized in the Principal Access Summary worksheet of k9-dev’s report (sample: xlsx):

k9 Principal Access Summary for Lambda

This example shows the ci IAM user has full access to Lambda APIs: administer-resource, read-config, use-resource, write-data, delete-data. k9 models invoking a Lambda function as use-resource. The k9-auditor role has only the read-config capability for Lambda APIs, allowing it to read Lambda configuration metadata. The sample report documents the full mapping of service API actions to k9 access capabilities.

The Amazon Lambda API currently has 60 actions, which k9 will now track for updates. This summary of k9’s AWS service coverage shows how Lambda compares to other AWS data, compute, and security APIs:

k9 AWS Service Analysis Summary

AWS Lambda gives you a way to run code without thinking about servers and only pay for what you use, but you’re still responsible for managing access. Manage risk to your applications running on Lambda by continuously reviewing and adjusting access to those functions and the Lambda compute APIs.

We hope k9’s new Lambda analysis capabilities help you identify which IAM users and roles can administer Lambda and run code in your AWS accounts. We are happy to answer any questions!