Contrast CLI
Scan your AWS Lambda functions and ensure security for policy permissions, dependencies and your code. Get started with three easy steps!
Step 1 – Install
Open a command-prompt or terminal, then install with NPM or Homebrew:
- NPM
- Homebrew
npm install -g @contrast/contrast
brew tap contrastsecurity/tap
brew install contrast
Step 2 – Authenticate
Authenticate using your existing GitHub or Google account.
contrast auth
Step 3 – Scan
Use contrast lambda to scan your AWS Lambda functions:
contrast lambda --function-name MyFunctionName --region my-aws-region
AWS Policy
Make sure you have the following AWS permissions enabled:
- Lambda: GetFunction, GetLayerVersion
- IAM: GetRolePolicy, GetPolicy, GetPolicyVersion, ListRolePolicies, ListAttachedRolePolicies
Here is an example AWS policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetPolicyVersion",
"iam:GetPolicy",
"lambda:GetLayerVersion",
"lambda:GetFunction",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:lambda:*:YOUR_ACCOUNT:layer:*:*",
"arn:aws:lambda:*:YOUR_ACCOUNT:function:*",
"arn:aws:iam::YOUR_ACCOUNT:role/*",
"arn:aws:iam::YOUR_ACCOUNT:policy/*"
]
}
]
}
AWS Credentials
The Contrast CLI can find your AWS credentials in one of the following ways:
- Configured in your user profile (usually
~/.aws/credentials) - Using the
--profileflag (contrast lambda --profile myProfile) - Using
AWS_DEFAULT_REGION,AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenvironment variables
For more information on how to use the lambda command, run contrast help.
contrast lambda --function-name myFunctionName
contrast lambda -f myFunctionName --region eu-central-1
contrast lambda -f myFunctionName --region eu-central-1 --profile myDevProfile
contrast lambda -f myFunctionName -v -j -r eu-central-1 -p myDevProfile
contrast lambda --function-name myFunctionName --verbose --json-output --region eu-central-1 --profile myDevProfile