lacework-global-368
Lambda function policies should prohibit public access (Automated)
Description
A Lambda function is non-compliant with this policy if its resource-based policy does not prohibit public access outside of the account, or if Amazon S3 invokes the function, and the policy does not include a condition to limit public access, such as AWS:SourceAccount. Best practices recommend using other S3 conditions along with AWS:SourceAccount in the bucket policy for more refined access. The Lambda function should not be publicly accessible, as this may allow unintended access to the function code.
Remediation
Note: It is not possible to remediate this fully via the console, only identification of the policy statement enabling public access.
- Log in to the AWS Management Console.
- Go to the Lambda service.
- Select the Lambda function.
- Select the Configuration tab.
- Select Permissions.
- Navigate to the section Resource-based policy statements.
- For each statement, if the Principal contains "*" or { "AWS": "*" }, the function has public access enabled.
- Run the following CLI command to remove the statement and revoke public access to the function:
aws lambda remove-permission --function-name <function_name> --statement-id <statement_id>
References
https://docs.aws.amazon.com/securityhub/latest/userguide/lambda-controls.html#lambda-1