π‘οΈ AWS Lambda Function allows public accessπ’
- Contextual name: π‘οΈ Function allows public accessπ’
- ID:
/ce/ca/aws/lambda/function-iam-policy-public - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY
Logicβ
- π§ prod.logic.yamlπ π’
- π AWS Lambda Function
- π§ͺ test-data.json
Similar Policiesβ
- AWS Security Hub: [Lambda.1] Lambda function policies should prohibit public access
Descriptionβ
Descriptionβ
This policy identifies AWS Lambda Functions whose resource-based policies allow access to all principals (
*).Rationaleβ
AWS Lambda functions are frequently used to process sensitive data or perform administrative operations. If a functionβs resource-based policy grants
lambda:InvokeFunctionpermission to the public, anyone on the internet can trigger the function. This may result in unexpected compute costs or the execution of logic that was never intended to be publicly accessible.Public access to actions such as
lambda:GetFunctioncan expose function configuration details, including environment variables, which often contain sensitive information such as database connection strings or API keys.In more severe misconfigurations, allowing public access to
lambda:UpdateFunctionCodecould enable an attacker to replace the functionβs code with malicious logic, potentially compromising downstream systems and data.Auditβ
This policy flags an AWS Lambda Function as
INCOMPLIANTif its resource-basedIAM Policyallows any of the following lambda: actions:... see more
Remediationβ
Remediationβ
Remove Public Permissions from the Functionβ
From Command Lineβ
Retrieve the resource-based policy and note the statement ID (
Sid) that grants public access:aws lambda get-policy \
--function-name {{function-name}} \
--output textRemove the permission statement that grants access to all principals:
aws lambda remove-permission \
--function-name {{function-name}} \
--statement-id {{sid}}