AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Lambda Functions Should Not Have Administrative Permissions
More Info:
Your Amazon Lambda functions should not have administrative permissions in order to promote the Principle of Least Privilege.
Risk Level
High
Address
Security
Compliance Standards
PCIDSS, HIPAA
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the misconfiguration of Lambda Functions having administrative permissions in AWS:
-
Open the AWS Management Console and navigate to the AWS Lambda service.
-
Select the Lambda function for which you want to remediate the misconfiguration.
-
In the “Configuration” tab, click on the “Permissions” section.
-
Under the “Execution role” section, click on the role name to open the “IAM Console”.
-
In the “IAM Console”, click on the “Permissions” tab.
-
Click on the “Attach policies” button.
-
Search for the policy “AWSLambdaBasicExecutionRole” and select it.
-
Click on the “Attach policy” button to attach the policy to the role.
-
Remove any other policies that provide administrative permissions to the Lambda function.
-
Save the changes and exit the “IAM Console”.
By following these steps, you will remediate the misconfiguration of Lambda Functions having administrative permissions in AWS.
To remediate the misconfiguration “Lambda Functions Should Not Have Administrative Permissions” in AWS using AWS CLI, follow the below steps:
-
Open the AWS CLI on your local machine.
-
Run the following command to list all the Lambda functions in your AWS account:
aws lambda list-functions
-
Identify the Lambda function(s) that have administrative permissions.
-
Run the following command to remove the administrative permissions from the Lambda function(s):
aws lambda remove-permission --function-name <function_name> --statement-id <statement_id>
Replace <function_name> with the name of the Lambda function and <statement_id> with the statement ID of the administrative permission.
- Verify that the administrative permission has been removed by running the following command:
aws lambda get-policy --function-name <function_name>
This command should return an empty policy, indicating that the Lambda function no longer has administrative permissions.
-
Repeat steps 4 and 5 for all the Lambda functions that have administrative permissions.
-
Once you have removed the administrative permissions from all the Lambda functions, verify the remediation by running a compliance check using a tool like AWS Config.
By following these steps, you can remediate the misconfiguration “Lambda Functions Should Not Have Administrative Permissions” in AWS using AWS CLI.
To remediate this misconfiguration in AWS, you can follow these steps using Python:
-
Identify the Lambda functions that have administrative permissions by checking the
Roleattached to the function. -
Create a new IAM Role with the necessary permissions that the Lambda function requires and attach it to the function. This new role should have the least privilege required for the function to operate.
-
Update the function’s execution role to the new role using the AWS SDK for Python,
boto3.
Here’s the sample Python code:
import boto3
# Initialize the AWS clients
lambda_client = boto3.client('lambda')
iam_client = boto3.client('iam')
# Get the list of all Lambda functions
functions = lambda_client.list_functions()
# Iterate through each function and check if it has administrative permissions
for function in functions['Functions']:
role_name = function['Role'].split('/')[-1]
# Check if the role has administrative permissions
policy = iam_client.get_role_policy(RoleName=role_name, PolicyName='AdministratorAccess')
if 'Statement' in policy['PolicyDocument']:
# Create a new role with the necessary permissions
new_role = iam_client.create_role(
RoleName='new-lambda-role',
AssumeRolePolicyDocument='''{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}'''
)
# Attach the new role to the Lambda function
lambda_client.update_function_configuration(
FunctionName=function['FunctionName'],
Role=new_role['Role']['Arn']
)
# Update the new role with the necessary permissions
iam_client.put_role_policy(
RoleName='new-lambda-role',
PolicyName='lambda-permissions',
PolicyDocument='''{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}'''
)
This code will create a new IAM Role named new-lambda-role with the necessary permissions for the Lambda function to operate. It will then update the function’s execution role to the new role. Finally, it will update the new role with the necessary permissions.