Lambda function policies should not allow global access¶
Description¶
Publicly accessible lambda functions may be runnable by anyone and could drive up your costs, disrupt your services, or leak your data.
Remediation Steps¶
AWS Console¶
Lambda policy cannot be remediated through the console. Use the CLI to remediate the resource instead.
AWS CLI¶
View a lambda function’s policy, replacing
my-function
with the name of the function you want to check:aws lambda get-policy --function-name my-function --output text
If the
Principal
is"*"
, remove the policy, replacingxaccount
with the policy’s statement ID:aws lambda remove-permission --function-name my-function --statement-id xaccount
Optionally, add a more restricted policy specifying an AWS account or service:
aws lambda add-permission --function-name my-function \
--statement-id xaccount --action lambda:GetFunction \
--principal 210987654321 --output text
CloudFormation¶
JSON¶
Ensure that AWS::Lambda::Permissions does not have principal
field that allows global *
access:
{
"Properties" : {
"FunctionName" : "Example-Lambda-Name",
"Principal" : "arn:aws:lambda:us-east-1:123456789012:function:my-function"
}
}
JSON Example Configuration¶
{
"Type" : "AWS::Lambda::Permission",
"Properties" : {
"FunctionName" : "Example-Lambda-Name",
"Principal" : "arn:aws:lambda:us-east-1:123456789012:function:my-function"
}
# other required fields
}
YAML¶
Ensure that AWS::Lambda::Permissions does not have principal
field that allows global *
access:
Properties:
FunctionName: Example-Lambda-Name
Principal: arn:aws:lambda:us-east-1:123456789012:function:my-function
YAML Example Configuration¶
Type: AWS::Lambda::Permission
Properties:
FunctionName: Example-Lambda-Name
Principal: arn:aws:lambda:us-east-1:123456789012:function:my-function
# other required fields
Terraform¶
Ensure that the aws_lambda_permission does not have a
principal
field that allows global*
access.
Example Configuration¶
resource "aws_lambda_permission" "example" {
principal = "events.amazon.com"
function_name = aws_lambda_function.test_lambda.function_name
# other required fields here
}
resource "aws_lambda_function" "test_lambda" {
function_name = "lambda_function_name"
# other required fields here
}