Let me tell you a story about my recent findings. While building an IoT solution for one of my customers, I realized that the Lambda service was not accessible in the customer’s AWS Account. Since I know how to manage permissions, I decided to add the required privileges to my AWS user.
To my surprise, the AWS console still presented the Access denied with UnknownError.
That was a bit strange, so I granted myself Administrator privileges to investigate the issue. Once again, the Access denied message appeared, causing my confusion and affecting my further development.
I tried the typical tricks, like:
- Clearing cookies.🍪
- Using different browsers.🌐
- Logging out of the AWS Console.🚪
Nothing worked. Doubting my AWS skills, I contacted Wojciech Dąbrowski, a respected AWS expert, and asked for help. Wojciech suggested a couple of new tricks to investigate the issue, yet AWS keeps refusing access to the Lambda function. We decided to admit our defeat and contact the AWS support team.
The support consultant informed us that AWS found a compromising activity in that account and restricted access to the Lambda service to avoid unexpected billing.
That response surprised me. AWS clearly defines the Shared Responsibility Model, explaining how AWS and customers share responsibility for securing data and applications in the cloud. AWS secures the infrastructure, while customers secure their data and applications. AWS provides security tools and services, but customers must configure them securely and monitor for security incidents.
AWS security team suspended access to the Lambda service in the customer’s account because they detected a security violation (I can not give you more details about it). They helped mitigate the significant costs for the customer by performing tasks defined as “customer’s responsibility” in the Shared Responsibility Model. To be honest, I was not expecting that scenario to be the root cause of my Lambda issue.
Let me briefly remind you of the basic best practices when working with AWS.
Best practices to secure an AWS account:
- Use strong passwords and multi-factor authentication (MFA) for all users.💪
- Create dedicated IAM users and groups to manage permissions required for specific tasks.👩💻👨💻
- Use precise IAM policies to control access to AWS resources.🔐
- Monitor your AWS account for security incidents.🕵️
How to secure the root account:
- Use a strong password and MFA for the root account.💪
- Never perform development from the root account.🙅♂️
- Use the root account only for administrative tasks.💼
- Create an IAM user with administrative privileges for everyday use.🦸
Stay safe!
