This rule ensures Lambda function policies do not allow public access for enhanced security.
Rule | Lambda function policies should prohibit public access |
Framework | AWS Foundational Security Best Practices |
Severity | ✔ Critical |
Rule Description
The rule for Lambda function policies is to prohibit public access in accordance with AWS Foundational Security Best Practices. This ensures that the Lambda functions are secure and only accessible to authorized entities. Public access can lead to potential security vulnerabilities and unauthorized use of resources.
Troubleshooting Steps
If there are issues related to public access in Lambda function policies, the following troubleshooting steps can be considered:
Necessary Codes
If any necessary code changes are required to prohibit public access for Lambda function policies, the following are some code snippets that can be used as a reference:
Example 1: Restricting Invocation to Specific AWS Accounts
To restrict invocation to specific AWS accounts, you can set a condition in the Lambda function's resource-based policy using the
aws:SourceAccount
condition key.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME", "Condition": { "StringEquals": { "aws:SourceAccount": "ALLOWED_ACCOUNT_ID" } } }, { "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME" } ] }
Replace
REGION
with the appropriate AWS region code, ACCOUNT_ID
with the AWS account ID, and FUNCTION_NAME
with the Lambda function name. Repeat the condition block for each allowed account ID.Example 2: Restricting Invocation to Specific VPCs
To restrict invocation to specific VPCs, you can set a condition in the Lambda function's resource-based policy using the
aws:sourceVpc
condition key.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME", "Condition": { "StringEquals": { "aws:sourceVpc": "VPC_ID" } } }, { "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME" } ] }
Replace
REGION
with the appropriate AWS region code, ACCOUNT_ID
with the AWS account ID, FUNCTION_NAME
with the Lambda function name, and VPC_ID
with the allowed VPC ID.Step-by-Step Remediation Guide
To remediate Lambda function policies and prohibit public access, follow these step-by-step instructions:
Identify the Lambda functions that need to be secured and prohibit public access.
Open the AWS Management Console and navigate to the Lambda service.
Click on the Lambda function that requires remediation.
In the function overview, scroll down to the "Permissions" section and click on the "Manage function policies" link.
In the function policies page, review the existing policies to identify any allowing public access.
Edit the function policies to remove any permissions that allow public access.
If necessary, specify the appropriate conditions in the policies to restrict access to specific AWS accounts or VPCs based on the provided code examples.
Once the policies are updated, click "Save" to apply the changes.
Repeat these steps for each Lambda function that needs to be secured.
By following these steps, the Lambda functions will have updated policies that prohibit public access, aligning with AWS Foundational Security Best Practices.