The Security tab illustrates interactions between your Lambda function and external resources. In addition to this architectural view of your function, you can configure some security settings using the Security tab.
Security configuration allows users to manage access to your Lambda function to external resources. You can set up your security configurations in two different ways:
Click on the “Security” button located at the right-hand corner of the screen to configure your settings. After setting your configurations, you can edit or delete them using this button.
You can allowlist resources that your function can access, in order to restrict your Lambda function from reaching other resources you don’t wish it to access. While configuring allowlist for your Lambda function, resources and their operations displayed on your architecture are automatically added to the allowlist. If you want to add other resources separate from the architecture, click on the “Add Resources” button and fill in the required fields.
You can blocklist resources in order to prevent your Lambda function from accessing specific resources. Blocklisting a resource means that when your Lambda function tries to access that resource, this operation will violate your security configuration.
Click on the “Configure your Security Settings” button and select a configuration option (allowlist/blocklist). Add the new item to your security configuration and fill in the following fields:
Resource Type - Select a resource type to allowlist/blocklist.
Resource Name - Enter the resource name(s) that you want to allowlist/blocklist. When you hit enter, it will be added to the list. In addition to this, you can add all resource names that belong to the selected resource type by selecting ALL(*).
Operation - Select an operation to be allowlisted/blocklisted for the selected resources. You can allowlist/blocklist all operations for a resource by selecting ALL(*).
After selecting resources to be allowlisted or blocklisted, you need to set an action that defines what will happen when an event occurs that violates your configuration.
Allow and Notify Me: Operations that violate your security settings will be executed normally, but you will receive a notification for this event.
Block and Notify Me: Operations that violate your security settings will be blocked and not executed. This option can corrupt your function's execution.
When a security configuration is set, an alert policy is created by default. It is checked every minute. For configurations that allow and notify action, alerts are throttled for 5 minutes. You can edit your alert policy name on the alerts page. These alert policies will notify you by email when your configuration has been violated.
When you want to edit a security configuration, hover your mouse over the lock icon on the Security tab and click on the “Edit” button. If any violation occurred in your current security configuration, the lock icon will be displayed as red.
If you selected the allowlist option and "Allow and Notify Me" action, and any violation occurred in that configuration, new resources will be displayed highlighted with the "New" tag. You can click “Save” to add them to the allowlist.
To change from allowlist to blocklist configuration or vice versa, you need to delete a configuration and add a new list. Hover your mouse over the Security icon on the Security tab, and click the trash icon to delete the configuration.
When any violation occurs for a security configuration in a time range, it will be displayed on the architecture view of the Security tab.
If the Allow and Notify Me action is selected and a violation occurs for a resource, there will be a yellow block icon on the resource icon.
If the Block and Notify Me action is selected and a violation occurs for a resource, there will be a red block icon on the resource icon.