Contrast CLI

Scan your AWS Lambda functions and ensure security for policy permissions, dependencies and your code.

This initial release supports both Java and Python functions.

Getting Started

Download

You can install using NPM:

npm install -g @contrast/contrast

Homebrew:

brew tap contrastsecurity/tap
brew install contrast

or download binaries for Windows, macOS and Linux.

Prerequisites

Make sure your AWS credentials are available. The Contrast CLI can find your credentials in one of the following ways:

• Configured in your user profile (usually located at ~/.aws/credentials)
• Using the --profile argument when running the CLI
• Using AWS_DEFAULT_REGION, AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables

You will also need the following permissions:

• Lambda: GetFunction, GetLayerVersion
• IAM: GetRolePolicy, GetPolicy, GetPolicyVersion, ListRolePolicies, ListAttachedRolePolicies

Example AWS Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetPolicyVersion",
                "iam:GetPolicy",
                "lambda:GetLayerVersion",
                "lambda:GetFunction",
                "iam:ListAttachedRolePolicies",
                "iam:ListRolePolicies",
                "iam:GetRolePolicy"
            ],
            "Resource": [
                "arn:aws:lambda:*:YOUR_ACCOUNT:layer:*:*",
                "arn:aws:lambda:*:YOUR_ACCOUNT:function:*",
                "arn:aws:iam::YOUR_ACCOUNT:role/*",
                "arn:aws:iam::YOUR_ACCOUNT:policy/*"
            ]
        }
    ]
}

Running Your First Scan

Authenticate with Contrast

contrast auth

Scan a Lambda Function

contrast lambda --function-name <YOUR_FUNCTION_NAME> --region <AWS_REGION>

For more help, use the following command:

contrast lambda --help

Commands

• contrast auth – Authenticate using your GitHub or Google account
• contrast lambda – Perform a scan on an AWS Lambda function
• contrast config – Display your stored credentials
• contrast config --clear – Remove your stored credentials
• contrast version – Display the installed version of the Contrast CLI
• contrast help – Display help

Example

contrast lambda --function-name myFunctionName
contrast lambda -f myFunctionName --region eu-central-1
contrast lambda -f myFunctionName --region eu-central-1 --profile myDevProfile
contrast lambda -f myFunctionName -v -j -r eu-central-1 -p myDevProfile
contrast lambda --function-name myFunctionName --verbose --json-output --region eu-central-1 --profile myDevProfile