Lambda function policies should not allow global access¶
Description¶
Publicly accessible lambda functions may be runnable by anyone and could drive up your costs, disrupt your services, or leak your data.
Console Remediation Steps¶
Lambda policy cannot be remediated through the console. Use the CLI to remediate the resource instead.
CLI Remediation Steps¶
View a lambda function’s policy, replacing
my-function
with the name of the function you want to check:aws lambda get-policy --function-name my-function --output text
If the
Principal
is"*"
, remove the policy, replacingxaccount
with the policy’s statement ID:aws lambda remove-permission --function-name my-function --statement-id xaccount
Optionally, add a more restricted policy specifying an AWS account or service:
aws lambda add-permission --function-name my-function \
--statement-id xaccount --action lambda:GetFunction \
--principal 210987654321 --output text