lacework-global-368

Lambda function policies should prohibit public access (Automated)

Description

A Lambda function is non-compliant with this policy if its resource-based policy does not prohibit public access outside of the account, or if Amazon S3 invokes the function, and the policy does not include a condition to limit public access, such as AWS:SourceAccount. Best practices recommend using other S3 conditions along with AWS:SourceAccount in the bucket policy for more refined access. The Lambda function should not be publicly accessible, as this may allow unintended access to the function code.

Remediation

Note: It is not possible to remediate this fully via the console, only identification of the policy statement enabling public access.

1. Log in to the AWS Management Console.
2. Go to the Lambda service.
3. Select the Lambda function.
4. Select the Configuration tab.
5. Select Permissions.
6. Navigate to the section Resource-based policy statements.
7. For each statement, if the Principal contains "" or { "AWS": "" }, the function has public access enabled.
8. Run the following CLI command to remove the statement and revoke public access to the function:

aws lambda remove-permission --function-name <function_name> --statement-id <statement_id>

References

https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html#lambda-1