🛡️ AWS Lambda Function allows public access🟢

Contextual name: 🛡️ Function allows public access🟢
ID: /ce/ca/aws/lambda/function-iam-policy-public
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Logic

🧠 prod.logic.yaml🟠🟢
- 📗 AWS Lambda Function
- 🧪 test-data.json

Similar Policies

AWS Security Hub: [Lambda.1] Lambda function policies should prohibit public access

Description

Description

This policy identifies AWS Lambda Functions whose resource-based policies allow access to all principals (*).

Rationale

AWS Lambda functions are frequently used to process sensitive data or perform administrative operations. If a function’s resource-based policy grants lambda:InvokeFunction permission to the public, anyone on the internet can trigger the function. This may result in unexpected compute costs or the execution of logic that was never intended to be publicly accessible.

Public access to actions such as lambda:GetFunction can expose function configuration details, including environment variables, which often contain sensitive information such as database connection strings or API keys.

In more severe misconfigurations, allowing public access to lambda:UpdateFunctionCode could enable an attacker to replace the function’s code with malicious logic, potentially compromising downstream systems and data.

Audit

This policy flags an AWS Lambda Function as INCOMPLIANT if its resource-based IAM Policy allows any of the following lambda: actions:

... see more

Remediation

Open File

Remediation

Remove Public Permissions from the Function

From Command Line
Retrieve the existing resource-based policy to identify the statement ID (Sid) associated with public access:
aws lambda get-policy \
    --function-name {{function-name}} \
    --output text
Remove the permission statement that grants access to all principals:
aws lambda remove-permission \
    --function-name {{function-name}} \
    --statement-id {{sid}}

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Compliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Lambda.1] Lambda function policies should prohibit public access			1	no data
💼 Cloudaware Framework → 💼 Public and Anonymous Access			113	no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	79	no data
💼 FedRAMP High Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	2	37	96	no data
💼 FedRAMP High Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)		11	56	no data
💼 FedRAMP High Security Controls → 💼 AC-6 Least Privilege (M)(H)	8	11	70	no data
💼 FedRAMP High Security Controls → 💼 AC-21 Information Sharing (M)(H)			15	no data
💼 FedRAMP High Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	10	8	74	no data
💼 FedRAMP High Security Controls → 💼 SC-7(3) Access Points (M)(H)			15	no data
💼 FedRAMP High Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			42	no data
💼 FedRAMP High Security Controls → 💼 SC-7(20) Dynamic Isolation and Segregation (H)			15	no data
💼 FedRAMP High Security Controls → 💼 SC-7(21) Isolation of System Components (H)			31	no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			79	no data
💼 FedRAMP Low Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)			43	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			79	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4 Information Flow Enforcement (M)(H)	1		80	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-4(21) Physical or Logical Separation of Information Flows (M)(H)			56	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6 Least Privilege (M)(H)	6		70	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-21 Information Sharing (M)(H)			15	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7 Boundary Protection (L)(M)(H)	7		60	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(3) Access Points (M)(H)			15	no data
💼 FedRAMP Moderate Security Controls → 💼 SC-7(4) External Telecommunications Services (M)(H)			42	no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			162	no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			163	no data
💼 NIST CSF v2.0 → 💼 ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained			82	no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			127	no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			174	no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			150	no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			170	no data
💼 NIST CSF v2.0 → 💼 PR.IR-01: Networks and environments are protected from unauthorized logical access and usage			113	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3 Access Enforcement	15	5	52	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-3(7) Access Enforcement _ Role-based Access Control			25	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4 Information Flow Enforcement	32	69	111	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows		37	56	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-6 Least Privilege	10	23	63	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-21 Information Sharing	2		15	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7 Boundary Protection	29	4	81	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(3) Boundary Protection _ Access Points			15	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(4) Boundary Protection _ External Telecommunications Services			42	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(9) Boundary Protection _ Restrict Threatening Outgoing Communications Traffic			26	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(11) Boundary Protection _ Restrict Incoming Communications Traffic			31	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(16) Boundary Protection _ Prevent Discovery of System Components			32	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(20) Boundary Protection _ Dynamic Isolation and Segregation			15	no data
💼 NIST SP 800-53 Revision 5 → 💼 SC-7(21) Boundary Protection _ Isolation of System Components			31	no data
💼 PCI DSS v3.2.1 → 💼 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.		10	61	no data
💼 PCI DSS v3.2.1 → 💼 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.		6	25	no data
💼 PCI DSS v3.2.1 → 💼 1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.			25	no data
💼 PCI DSS v3.2.1 → 💼 1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.			12	no data
💼 PCI DSS v3.2.1 → 💼 1.3.5 Permit only “established” connections into the network.			25	no data
💼 PCI DSS v3.2.1 → 💼 7.1.1 Define access needs for each role.			1	no data
💼 PCI DSS v3.2.1 → 💼 7.2.1 Coverage of all system components.			11	no data
💼 PCI DSS v4.0.1 → 💼 1.3.1 Inbound traffic to the CDE is restricted.			61	no data
💼 PCI DSS v4.0.1 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			61	no data
💼 PCI DSS v4.0.1 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.			25	no data
💼 PCI DSS v4.0.1 → 💼 7.2.1 An access control model is defined and includes granting appropriate access.			1	no data
💼 PCI DSS v4.0.1 → 💼 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.			11	no data
💼 PCI DSS v4.0 → 💼 1.3.1 Inbound traffic to the CDE is restricted.		7	61	no data
💼 PCI DSS v4.0 → 💼 1.3.2 Outbound traffic from the CDE is restricted.			61	no data
💼 PCI DSS v4.0 → 💼 1.4.2 Inbound traffic from untrusted networks to trusted networks is restricted.		7	25	no data
💼 PCI DSS v4.0 → 💼 7.2.1 An access control model is defined and includes granting appropriate access.			1	no data
💼 PCI DSS v4.0 → 💼 7.3.1 An access control system(s) is in place that restricts access based on a user's need to know and covers all system components.			11	no data

Logic​

Similar Policies​

Description​

Description​

Rationale​

Audit​

Remediation​

Remediation​

Remove Public Permissions from the Function​

From Command Line​

policy.yaml​

Linked Framework Sections​

Logic

Similar Policies

Description

Description

Rationale

Audit

Remediation

Remediation

Remove Public Permissions from the Function

From Command Line

policy.yaml

Linked Framework Sections