Platform: AWS
| Category | Criteria Name | Supported | Notes | Caveats |
|---|---|---|---|---|
| Authentication & Authorization | API Key Management | False | AWS Lambda does not directly use API keys. Authentication and authorization are handled through IAM roles and policies. | |
| Authentication & Authorization | IAM Integration | True | AWS Lambda is fully integrated with AWS Identity and Access Management (IAM), allowing granular control over access using roles and policies. | |
| Authentication & Authorization | MFA | True | MFA is not directly supported for Lambda functions but is strongly recommended for all IAM users and roles that manage Lambda functions. | For IAM users and roles |
| Authentication & Authorization | Service Account Support | True | AWS Lambda supports service accounts for programmatic access. Best practices recommend using least privilege for service accounts. | |
| Authentication & Authorization | Standard Protocols | True | AWS Lambda leverages IAM for authentication, which uses various industry standard protocols. OAuth 2.0 and OpenID Connect are indirectly supported through IAM integration. | Indirectly via IAM |
| Compliance & Certifications | Compliance Documentation | True | AWS provides comprehensive compliance documentation, whitepapers, and audit reports relating to the security of its services, including Lambda. | |
| Compliance & Certifications | Industry Certifications | True | AWS Lambda is part of the AWS platform, which holds numerous industry certifications including ISO 27001, SOC 2, and others. Compliance requires overall account configuration and adherence to AWS's security best practices. | Depends on overall AWS account compliance |
| Data Loss Prevention (DLP) | Data Masking/Redaction | True | Data masking/redaction must be implemented at the application level within the Lambda function itself. There isn't a built-in Lambda feature for this. | Requires application-level implementation |
| Data Loss Prevention (DLP) | Sensitive Data Scanning | True | Integration with other AWS services like Macie can enable sensitive data scanning, although it's not directly built into Lambda. | Requires integration with other services |
| Data Residency & Sovereignty | Cross-Region Data Transfer Controls | True | Cross-region data transfer is possible but requires explicit configuration and management via services like S3, Kinesis, etc. IAM roles and policies can be used to control access and transfer. | Requires careful configuration |
| Data Residency & Sovereignty | Data Location Transparency | True | AWS provides information on region availability and data storage locations within the AWS documentation and management console. While precise data location within a region is not always specified, the region itself is known. | |
| Data Residency & Sovereignty | Region Selection | True | AWS Lambda allows deployment to multiple AWS regions globally, allowing users to choose a region based on their data residency requirements. | |
| Encryption | Encryption at Rest | True | AWS Lambda functions themselves don't store data directly, but any data stored within associated resources (like S3, EFS) can be encrypted at rest using server-side encryption (SSE) with AWS KMS-managed keys (CMEK) or customer-provided keys (CSEK). Default encryption options are available but need to be enabled. | Depends on storage used |
| Encryption | Encryption in Transit | True | AWS Lambda uses HTTPS for communication, ensuring data encryption in transit. Specific TLS versions and cipher suites are not explicitly configurable by the user but are maintained by AWS. | |
| Logging & Monitoring | Access Logging | True | AWS Lambda does not automatically provide access logs; however, CloudWatch can be configured to log function invocations, errors, and other relevant information. | Requires configuration |
| Logging & Monitoring | Audit Logging | True | CloudTrail logs API calls and configuration changes related to Lambda functions. This provides a comprehensive audit trail. | |
| Logging & Monitoring | Log Retention | True | CloudWatch Logs offers configurable log retention policies, allowing users to specify how long logs are stored. | |
| Logging & Monitoring | Monitoring & Alerting | True | AWS CloudWatch provides monitoring and alerting capabilities for Lambda functions. Metrics like invocation duration, errors, and throttles can be tracked and alerts set. | |
| Network Security | API Gateway Integration | True | AWS Lambda integrates seamlessly with API Gateway, allowing for centralized management of traffic routing and security policies. API Gateway allows for enhanced security features. | |
| Network Security | DDoS Protection | True | AWS Lambda benefits indirectly from AWS's global infrastructure and inherent DDoS protection measures. Additional protections are possible through the use of services like AWS WAF. | Indirectly via AWS infrastructure |
| Network Security | Firewall Rules | True | Network access control is managed through VPC security groups and network ACLs, which act as firewalls for the network where Lambda functions are deployed. Ingress/egress rules can be set. | Through VPC configuration |
| Network Security | Private Access | True | AWS Lambda can be accessed privately using VPCs, enabling secure communication within a virtual network. VPC networking is crucial for secure deployment of Lambda functions. | |
| Secure Development Lifecycle (SDL) | API Design Principles | True | AWS provides best practices and guidance on secure API design which should be followed when designing and implementing Lambda functions, even though it is not enforced by Lambda directly. | Best Practices |
| Secure Development Lifecycle (SDL) | Code Review & Testing | False | Code review and security testing are the responsibility of the developers who build and deploy the Lambda functions. AWS does not enforce specific processes. | Responsibility of the developer |
| Vulnerability Management & Patching | Security Updates | True | AWS is responsible for patching and updating the underlying Lambda infrastructure. The platform regularly releases updates to improve security and performance. | |
| Vulnerability Management & Patching | Vulnerability Scanning | False | AWS does not offer built-in vulnerability scanning for Lambda functions directly. However, users can leverage third-party security tools to perform vulnerability assessments. | Requires third-party tools |