Skip to main content

lacework-global-180

Lambda Function should not have Cross Account Access

Description

Lambda functions with cross account access can be potential security risks because they grant access to other accounts.

Remediation

  1. Login to the AWS Management Console.

  2. Click Services.

  3. Select Lambda.

  4. On the left side, select functions.

  5. Choose a function and click the Configuration tab.

  6. Click Permissions.

  7. Under Execution role - Role name, click the role associated with the function.

  8. Under Permissions policies, select and expand an attached policy to view in JSON format.

  9. Identify if any Resource elements have the following setting, where <ACCOUNT_ID> does not match the current account ID:

    {
    "Statement": [
    {
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Resource": "arn:aws:iam::<ACCOUNT_ID>:role/<role_name>"
    }
    ],
    "Version": "2012-10-17"
    }
  10. Edit or delete the offending policy.

  11. Repeat steps 8-10 for each attached policy.

Edit:

  1. Click edit on the offending policy.
  2. Edit the permissions so the policy no longer has cross account access using either the Visual editor, or JSON tab.
  3. Click Review policy.
  4. Click Save changes.

Delete:

  1. Check the box next to the offending policy.
  2. Click Remove.
  3. Click Delete.