Scan your AWS Lambda functions and ensure security for policy permissions, dependencies and your code.
This initial release supports both Java and Python functions.
You can install using NPM:
npm install -g @contrast/contrast
brew tap contrastsecurity/tap
brew install contrast
or download binaries for Windows, macOS and Linux.
Make sure your AWS credentials are available. The Contrast CLI can find your credentials in one of the following ways:
- Configured in your user profile (usually located at
~/.aws/credentials
) - Using the
--profile
argument when running the CLI - Using
AWS_DEFAULT_REGION
,AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
environment variables
You will also need the following permissions:
- Lambda: GetFunction, GetLayerVersion
- IAM: GetRolePolicy, GetPolicy, GetPolicyVersion, ListRolePolicies, ListAttachedRolePolicies
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetPolicyVersion",
"iam:GetPolicy",
"lambda:GetLayerVersion",
"lambda:GetFunction",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:lambda:*:YOUR_ACCOUNT:layer:*:*",
"arn:aws:lambda:*:YOUR_ACCOUNT:function:*",
"arn:aws:iam::YOUR_ACCOUNT:role/*",
"arn:aws:iam::YOUR_ACCOUNT:policy/*"
]
}
]
}
contrast auth
contrast lambda --function-name <YOUR_FUNCTION_NAME> --region <AWS_REGION>
For more help, use the following command:
contrast lambda --help
contrast auth
– Authenticate using your GitHub or Google accountcontrast lambda
– Perform a scan on an AWS Lambda functioncontrast config
– Display your stored credentialscontrast config --clear
– Remove your stored credentialscontrast version
– Display the installed version of the Contrast CLIcontrast help
– Display help
contrast lambda --function-name myFunctionName
contrast lambda -f myFunctionName --region eu-central-1
contrast lambda -f myFunctionName --region eu-central-1 --profile myDevProfile
contrast lambda -f myFunctionName -v -j -r eu-central-1 -p myDevProfile
contrast lambda --function-name myFunctionName --verbose --json-output --region eu-central-1 --profile myDevProfile