Ensure that Lambda Function execution role policy doesn't have an overly permissive scope (Contains a wildcard)
Determine the specific resource scope needed by your Lambda Functions, and then craft IAM policies for these resources only, instead of full resource scope. Please note, there are few actions where Resource type is accepted as wildcard only, this rule is not applicable to those actions which only support Wildcard '*' as resource type. Pls follow this AWS documentation link for more details: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html
Risk Level: High
Cloud Entity: AWS Lambda
CloudGuard Rule ID: D9.AWS.IAM.46
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
Lambda should not have executionRole.combinedPolicies contain [ relationType!='AssumeRole' and policyDocument.Statement contain [Effect='Allow' and (Resource contain [$ regexMatch /^(?!arn).*\*$/] or Resource regexMatch /^(?!arn).*\*$/) ]]
REMEDIATION
From Portal
- Go to 'IAM'
- In the menu, under 'Access management', choose 'Roles'
- Select the overly permissive IAM Role
- Select the relevant policy
- Redefine its permissions based on the principle of least privilege
From TF
To update an IAM policy, edit the 'Resource' argument:
resource "aws_iam_policy" "example_iam_policy" {
..
policy = jsonencode({
..
Statement = [
{
..
Resource = RESOURCES-LIST
..
},
]
})
}
From Command Line
To update a managed policy, use:
aws iam create-policy-version --policy-arn POLICY-ARN --policy-document POLICY-DOCUMENT
Note: Additional instructions (For example: How to update inline policies) can be found within the references.
References
- https://docs.aws.amazon.com/lambda/latest/dg/access-control-identity-based.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html
AWS Lambda
AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running.
With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.
Compliance Frameworks
- AWS CCPA Framework
- AWS CSA CCM v.3.0.1
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS GDPR Readiness
- AWS HIPAA
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO 27001:2013
- AWS ISO27001:2022
- AWS ITSG-33
- AWS LGPD regulation
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-171
- AWS NIST 800-53 Rev 4
- AWS NIST 800-53 Rev 5
- AWS NIST CSF v1.1
- AWS PCI-DSS 3.2
- AWS PCI-DSS 4.0
- AWS Security Risk Management
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago