Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: Lambda Function Policies Should Prohibit Public Access

This rule ensures Lambda function policies do not allow public access for enhanced security.

RuleLambda function policies should prohibit public access
FrameworkAWS Foundational Security Best Practices
Severity
Critical

Rule Description

The rule for Lambda function policies is to prohibit public access in accordance with AWS Foundational Security Best Practices. This ensures that the Lambda functions are secure and only accessible to authorized entities. Public access can lead to potential security vulnerabilities and unauthorized use of resources.

Troubleshooting Steps

If there are issues related to public access in Lambda function policies, the following troubleshooting steps can be considered:

  1. 1.
    Review the existing Lambda function policies to identify any policies allowing public access.
  2. 2.
    Verify the IAM roles and permissions associated with the Lambda functions to ensure that they are properly configured.
  3. 3.
    Check if any public IAM or resource-based policies are unintentionally granting public access.
  4. 4.
    Review any integration points (e.g., API Gateway) and related security configurations to ensure there are no misconfigurations allowing public access.
  5. 5.
    Verify the network settings and ensure that the Lambda functions are not exposed to the public internet without proper controls, such as using a VPC (Virtual Private Cloud).

Necessary Codes

If any necessary code changes are required to prohibit public access for Lambda function policies, the following are some code snippets that can be used as a reference:

Example 1: Restricting Invocation to Specific AWS Accounts

To restrict invocation to specific AWS accounts, you can set a condition in the Lambda function's resource-based policy using the

aws:SourceAccount
condition key.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "ALLOWED_ACCOUNT_ID"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME"
    }
  ]
}

Replace

REGION
with the appropriate AWS region code,
ACCOUNT_ID
with the AWS account ID, and
FUNCTION_NAME
with the Lambda function name. Repeat the condition block for each allowed account ID.

Example 2: Restricting Invocation to Specific VPCs

To restrict invocation to specific VPCs, you can set a condition in the Lambda function's resource-based policy using the

aws:sourceVpc
condition key.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME",
      "Condition": {
        "StringEquals": {
          "aws:sourceVpc": "VPC_ID"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME"
    }
  ]
}

Replace

REGION
with the appropriate AWS region code,
ACCOUNT_ID
with the AWS account ID,
FUNCTION_NAME
with the Lambda function name, and
VPC_ID
with the allowed VPC ID.

Step-by-Step Remediation Guide

To remediate Lambda function policies and prohibit public access, follow these step-by-step instructions:

  1. 1.

    Identify the Lambda functions that need to be secured and prohibit public access.

  2. 2.

    Open the AWS Management Console and navigate to the Lambda service.

  3. 3.

    Click on the Lambda function that requires remediation.

  4. 4.

    In the function overview, scroll down to the "Permissions" section and click on the "Manage function policies" link.

  5. 5.

    In the function policies page, review the existing policies to identify any allowing public access.

  6. 6.

    Edit the function policies to remove any permissions that allow public access.

  7. 7.

    If necessary, specify the appropriate conditions in the policies to restrict access to specific AWS accounts or VPCs based on the provided code examples.

  8. 8.

    Once the policies are updated, click "Save" to apply the changes.

  9. 9.

    Repeat these steps for each Lambda function that needs to be secured.

By following these steps, the Lambda functions will have updated policies that prohibit public access, aligning with AWS Foundational Security Best Practices.

Is your System Free of Underlying Vulnerabilities?
Find Out Now