Ensure that Lambda Function is not publicly exposed via resource policy without a condition
Determine the specific resource-based principals' permissions needed by your Lambda Functions, and then craft a resource-based policy for these principals only.
Risk Level: Critical
Cloud Entity: AWS Lambda
CloudGuard Rule ID: D9.AWS.IAM.105
Covered by Spectral: No
Category: Compute
GSL LOGIC
Lambda should not have resourcePolicy.Statement contain [ Effect='Allow' and (Principal = '*' or Principal.AWS = '*') and not Condition ]
REMEDIATION
From Portal
- Go to 'Lambda' dashboard
- In the left menu, select 'Functions'
- Select the relevant Lambda Function
- Under 'Configurations', go to 'Permissions'
- Under 'Resource-based policy statements', select the relevant statement
- Edit the statement according to the principle of least privilege
From TF
To edit a resource-based policy, edit the following arguments within 'aws_lambda_permission' block:
resource "aws_lambda_permission" "lambda_permission_example" {
..
principal = PRINCIPAL
source_arn = SOURCE-ARN
..
}
From Command Line
To remove a resource-based policy statement from a Lambda Function, run:
aws lambda remove-permission --function-name FUNCTION-NAME --statement-id STATEMENT-ID
To apply a resource-based policy statement to a Lambda Function, run:
aws lambda add-permission --function-name FUNCTION-NAME--action ACTION --statement-id STATEMENT-ID --principal PRINCIPAL
References
- https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/remove-permission.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/add-permission.html
AWS Lambda
AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running.
With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.
Compliance Frameworks
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
- AWS Security Risk Management
- CloudGuard AWS All Rules Ruleset
- CloudGuard AWS Default Ruleset
Updated over 1 year ago