Skip to main content

lacework-global-179

Lambda Function should not have Admin Privileges

Description

Lambda functions assume an execution role, which grants permissions to the function. Like Identity and Access Management (IAM) users, manage Lambda functions using the principle of least access.

Remediation

  1. Login to the AWS Management Console.

  2. Click Services.

  3. Select Lambda.

  4. On the left side, select functions.

  5. Choose a function and click the Configuration tab.

  6. Click Permissions.

  7. Under Execution role - Role name, click the role associated with the function.

  8. Under Permissions policies, select and expand an attached policy to view in JSON format.

  9. Locate policies with statements that have Resource and Action elements set to '*' and Effect set to 'Allow'.

  10. Edit or delete the offending policy.

  11. Repeat steps 8-10 for each attached policy.

Edit:

  1. Click edit on the offending policy.

  2. Edit the permissions so the policy no longer has administrator privileges using either the Visual editor, or JSON tab.

  3. Click Review policy.

  4. Click Save changes.

Delete:

  1. Check the box next to the offending policy.

  2. Click Remove.

  3. Click Delete.

Last updated on