Lambda function policies should not allow global access

Description

Publicly accessible lambda functions may be runnable by anyone and could drive up your costs, disrupt your services, or leak your data.

Remediation Steps

AWS Console

  • Lambda policy cannot be remediated through the console. Use the CLI to remediate the resource instead.

AWS CLI

  • View a lambda function’s policy, replacing my-function with the name of the function you want to check:

    • aws lambda get-policy --function-name my-function --output text

  • If the Principal is "*", remove the policy, replacing xaccount with the policy’s statement ID:

    • aws lambda remove-permission --function-name my-function --statement-id xaccount

  • Optionally, add a more restricted policy specifying an AWS account or service:

aws lambda add-permission --function-name my-function \
  --statement-id xaccount --action lambda:GetFunction \
  --principal 210987654321 --output text

CloudFormation

JSON

Ensure that AWS::Lambda::Permissions does not have principal field that allows global * access:

{
  "Properties" : {
    "FunctionName" : "Example-Lambda-Name",
    "Principal" : "arn:aws:lambda:us-east-1:123456789012:function:my-function"
  }
}
JSON Example Configuration
{
  "Type" : "AWS::Lambda::Permission",
  "Properties" : {
    "FunctionName" : "Example-Lambda-Name",
    "Principal" : "arn:aws:lambda:us-east-1:123456789012:function:my-function"
  }
  # other required fields
}

YAML

Ensure that AWS::Lambda::Permissions does not have principal field that allows global * access:

Properties:
  FunctionName: Example-Lambda-Name
  Principal: arn:aws:lambda:us-east-1:123456789012:function:my-function
YAML Example Configuration
Type: AWS::Lambda::Permission
Properties:
  FunctionName: Example-Lambda-Name
  Principal: arn:aws:lambda:us-east-1:123456789012:function:my-function
  # other required fields

Terraform

Example Configuration

resource "aws_lambda_permission" "example" {
  principal = "events.amazon.com"
  function_name = aws_lambda_function.test_lambda.function_name
  # other required fields here
}

resource "aws_lambda_function" "test_lambda" {
  function_name = "lambda_function_name"
  # other required fields here
}