More Info:
Your Amazon Lambda functions should be configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account access.Risk Level
MediumAddress
SecurityCompliance Standards
HITRUST, SOC2, NISTCSF, PCIDSSTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Lambda Functions Should Not Allow Cross Account Access” in AWS using the AWS console, follow these steps:
- Sign in to the AWS Management Console.
- Open the AWS Lambda console.
- In the left navigation pane, choose “Functions”.
- Select the Lambda function that you want to remediate.
- Choose the “Permissions” tab.
- Scroll down to the “Resource-based policy” section.
- Click the “Edit” button.
- In the “Policy” editor, remove any statements that allow cross-account access.
- Click the “Save” button to save the updated policy.
- Verify that the updated policy does not allow cross-account access.
Using CLI
Using CLI
To remediate the misconfiguration in AWS, you can follow the below steps:
- Open the AWS CLI on your local machine or EC2 instance.
-
Run the following command to list all the Lambda functions in your AWS account:
- Identify the Lambda function that is allowing cross-account access.
-
Run the following command to update the Lambda function’s resource-based policy to deny cross-account access:
Replace
<function-name>
with the name of the Lambda function that is allowing cross-account access, and<statement-id>
with the ID of the statement that allows cross-account access. For example: -
Verify that the resource-based policy has been updated by running the following command:
Replace
<function-name>
with the name of the Lambda function that you updated. The output should show that the resource-based policy now denies cross-account access. - Repeat steps 4-5 for any other Lambda functions that are allowing cross-account access.
- Once you have updated all the Lambda functions, verify that cross-account access is no longer allowed by attempting to access the Lambda function from a different AWS account.
Using Python
Using Python
To remediate the issue of Lambda functions allowing cross-account access in AWS, you can follow these steps using Python:Replace
- Open the AWS Lambda console.
- Click on the Lambda function that is allowing cross-account access.
- Under the “Configuration” tab, click on “Permissions”.
- Click on the “Remove” button next to the role that is allowing cross-account access.
- Click on the “Add Permission” button.
- Select the “AWS Service” radio button.
- Choose the service that needs access to the Lambda function.
- Choose the “Use a permission policy” option.
- In the policy editor, add the following policy:
<region>
, <account-id>
, and <function-name>
with the appropriate values for your Lambda function.- Click on the “Add” button to save the new permission policy.