Lambda Functions Should Not Have Administrative Permissions

More Info:

Your Amazon Lambda functions should not have administrative permissions in order to promote the Principle of Least Privilege.

Risk Level

High

Address

Security

Compliance Standards

PCIDSS, HIPAA

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Lambda Functions Should Not Have Administrative Permissions” in AWS using AWS CLI, follow the below steps:

Open the AWS CLI on your local machine.
Run the following command to list all the Lambda functions in your AWS account:

aws lambda list-functions

Identify the Lambda function(s) that have administrative permissions.
Run the following command to remove the administrative permissions from the Lambda function(s):

aws lambda remove-permission --function-name <function_name> --statement-id <statement_id>

Replace <function_name> with the name of the Lambda function and <statement_id> with the statement ID of the administrative permission.

Verify that the administrative permission has been removed by running the following command:

aws lambda get-policy --function-name <function_name>

This command should return an empty policy, indicating that the Lambda function no longer has administrative permissions.

Repeat steps 4 and 5 for all the Lambda functions that have administrative permissions.
Once you have removed the administrative permissions from all the Lambda functions, verify the remediation by running a compliance check using a tool like AWS Config.

By following these steps, you can remediate the misconfiguration “Lambda Functions Should Not Have Administrative Permissions” in AWS using AWS CLI.

Using Python

To remediate this misconfiguration in AWS, you can follow these steps using Python:

Identify the Lambda functions that have administrative permissions by checking the Role attached to the function.
Create a new IAM Role with the necessary permissions that the Lambda function requires and attach it to the function. This new role should have the least privilege required for the function to operate.
Update the function’s execution role to the new role using the AWS SDK for Python, boto3.

Here’s the sample Python code:

import boto3

# Initialize the AWS clients
lambda_client = boto3.client('lambda')
iam_client = boto3.client('iam')

# Get the list of all Lambda functions
functions = lambda_client.list_functions()

# Iterate through each function and check if it has administrative permissions
for function in functions['Functions']:
    role_name = function['Role'].split('/')[-1]
    
    # Check if the role has administrative permissions
    policy = iam_client.get_role_policy(RoleName=role_name, PolicyName='AdministratorAccess')
    
    if 'Statement' in policy['PolicyDocument']:
        # Create a new role with the necessary permissions
        new_role = iam_client.create_role(
            RoleName='new-lambda-role',
            AssumeRolePolicyDocument='''{
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Service": "lambda.amazonaws.com"
                        },
                        "Action": "sts:AssumeRole"
                    }
                ]
            }'''
        )
        
        # Attach the new role to the Lambda function
        lambda_client.update_function_configuration(
            FunctionName=function['FunctionName'],
            Role=new_role['Role']['Arn']
        )
        
        # Update the new role with the necessary permissions
        iam_client.put_role_policy(
            RoleName='new-lambda-role',
            PolicyName='lambda-permissions',
            PolicyDocument='''{
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Action": [
                            "logs:CreateLogGroup",
                            "logs:CreateLogStream",
                            "logs:PutLogEvents"
                        ],
                        "Resource": "arn:aws:logs:*:*:*"
                    },
                    {
                        "Effect": "Allow",
                        "Action": [
                            "s3:GetObject",
                            "s3:PutObject"
                        ],
                        "Resource": "arn:aws:s3:::bucket-name/*"
                    }
                ]
            }'''
        )

This code will create a new IAM Role named new-lambda-role with the necessary permissions for the Lambda function to operate. It will then update the function’s execution role to the new role. Finally, it will update the new role with the necessary permissions.

Additional Reading:

https://docs.aws.amazon.com/lambda/latest/dg/lambda-permissions.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Lambda Functions Should Not Have Administrative Permissions

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: