Contrast CLI
Scan your AWS Lambda functions and ensure security for policy permissions, dependencies and your code.
This initial release supports both Java and Python functions.
Getting Started
Download
You can install using NPM:
npm install -g @contrast/contrast
brew tap contrastsecurity/tap
brew install contrast
or download binaries for Windows, macOS and Linux.
Prerequisites
Make sure your AWS credentials are available. The Contrast CLI can find your credentials in one of the following ways:
- Configured in your user profile (usually located at
~/.aws/credentials
) - Using the
--profile
argument when running the CLI - Using
AWS_DEFAULT_REGION
,AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
environment variables
You will also need the following permissions:
- Lambda: GetFunction, GetLayerVersion
- IAM: GetRolePolicy, GetPolicy, GetPolicyVersion, ListRolePolicies, ListAttachedRolePolicies
Example AWS Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetPolicyVersion",
"iam:GetPolicy",
"lambda:GetLayerVersion",
"lambda:GetFunction",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:lambda:*:YOUR_ACCOUNT:layer:*:*",
"arn:aws:lambda:*:YOUR_ACCOUNT:function:*",
"arn:aws:iam::YOUR_ACCOUNT:role/*",
"arn:aws:iam::YOUR_ACCOUNT:policy/*"
]
}
]
}
Running Your First Scan
Authenticate with Contrast
contrast auth
Scan a Lambda Function
contrast lambda --function-name <YOUR_FUNCTION_NAME> --region <AWS_REGION>
For more help, use the following command:
contrast lambda --help
Commands
contrast auth
– Authenticate using your GitHub or Google accountcontrast lambda
– Perform a scan on an AWS Lambda functioncontrast config
– Display your stored credentialscontrast config --clear
– Remove your stored credentialscontrast version
– Display the installed version of the Contrast CLIcontrast help
– Display help
Example
contrast lambda --function-name myFunctionName
contrast lambda -f myFunctionName --region eu-central-1
contrast lambda -f myFunctionName --region eu-central-1 --profile myDevProfile
contrast lambda -f myFunctionName -v -j -r eu-central-1 -p myDevProfile
contrast lambda --function-name myFunctionName --verbose --json-output --region eu-central-1 --profile myDevProfile