Lambda function policies should not allow global access

Description

Publicly accessible lambda functions may be runnable by anyone and could drive up your costs, disrupt your services, or leak your data.

Remediation Steps

AWS Console

• Lambda policy cannot be remediated through the console. Use the CLI to remediate the resource instead.

AWS CLI

• View a lambda function’s policy, replacing my-function with the name of the function you want to check:

  • aws lambda get-policy --function-name my-function --output text

• If the Principal is "*", remove the policy, replacing xaccount with the policy’s statement ID:

  • aws lambda remove-permission --function-name my-function --statement-id xaccount

• Optionally, add a more restricted policy specifying an AWS account or service:

aws lambda add-permission --function-name my-function \
  --statement-id xaccount --action lambda:GetFunction \
  --principal 210987654321 --output text

Terraform

• Ensure that the aws_lambda_permission does not have a principal field that allows global * access.

Example Configuration

resource "aws_lambda_permission" "example" {
  principal = "events.amazon.com"
  function_name = aws_lambda_function.test_lambda.function_name
  # other required fields here
}

resource "aws_lambda_function" "test_lambda" {
  function_name = "lambda_function_name"
  # other required fields here
}

Documentation Links

AWS Console and CLI

• Console: Using Resource-Based Policies for AWS Lambda

• CLI: get-policy

• CLI: add-permission

• CLI: remove-permissions

Terraform

• Resource: aws_lambda_permission

  • Field: principal