Lambda function policies should not allow global access

Description

Publicly accessible lambda functions may be runnable by anyone and could drive up your costs, disrupt your services, or leak your data.

Console Remediation Steps

• Lambda policy cannot be remediated through the console. Use the CLI to remediate the resource instead.

CLI Remediation Steps

• View a lambda function’s policy, replacing my-function with the name of the function you want to check:

  • aws lambda get-policy --function-name my-function --output text

• If the Principal is "*", remove the policy, replacing xaccount with the policy’s statement ID:

  • aws lambda remove-permission --function-name my-function --statement-id xaccount

• Optionally, add a more restricted policy specifying an AWS account or service:

aws lambda add-permission --function-name my-function \
  --statement-id xaccount --action lambda:GetFunction \
  --principal 210987654321 --output text

Documentation Links

• Using Resource-Based Policies for AWS Lambda

• get-policy (CLI)

• add-permission (CLI)

• remove-permissions (CLI)