Skip to main content

Contrast CLI

Scan your AWS Lambda functions and ensure security for policy permissions, dependencies and your code. Get started with three easy steps!

Step 1 Install

Open a command-prompt or terminal, then install with NPM or Homebrew:

npm install -g @contrast/contrast

Step 2 Authenticate

Authenticate using your existing GitHub or Google account.

contrast auth

Step 3 Scan

Use contrast lambda to scan your AWS Lambda functions:

contrast lambda --function-name MyFunctionName --region my-aws-region

image

AWS Policy

Make sure you have the following AWS permissions enabled:

Here is an example AWS policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetPolicyVersion",
"iam:GetPolicy",
"lambda:GetLayerVersion",
"lambda:GetFunction",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:lambda:*:YOUR_ACCOUNT:layer:*:*",
"arn:aws:lambda:*:YOUR_ACCOUNT:function:*",
"arn:aws:iam::YOUR_ACCOUNT:role/*",
"arn:aws:iam::YOUR_ACCOUNT:policy/*"
]
}
]
}

AWS Credentials

The Contrast CLI can find your AWS credentials in one of the following ways:

  • Configured in your user profile (usually ~/.aws/credentials)
  • Using the --profile flag (contrast lambda --profile myProfile)
  • Using AWS_DEFAULT_REGION, AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables

For more information on how to use the lambda command, run contrast help.

contrast lambda --function-name myFunctionName
contrast lambda -f myFunctionName --region eu-central-1
contrast lambda -f myFunctionName --region eu-central-1 --profile myDevProfile
contrast lambda -f myFunctionName -v -j -r eu-central-1 -p myDevProfile
contrast lambda --function-name myFunctionName --verbose --json-output --region eu-central-1 --profile myDevProfile