AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Lambda Functions Should Not Allow Cross Account Access
More Info:
Your Amazon Lambda functions should be configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account access.
Risk Level
Medium
Address
Security
Compliance Standards
HITRUST, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration “Lambda Functions Should Not Allow Cross Account Access” in AWS using the AWS console, follow these steps:
- Sign in to the AWS Management Console.
- Open the AWS Lambda console.
- In the left navigation pane, choose “Functions”.
- Select the Lambda function that you want to remediate.
- Choose the “Permissions” tab.
- Scroll down to the “Resource-based policy” section.
- Click the “Edit” button.
- In the “Policy” editor, remove any statements that allow cross-account access.
- Click the “Save” button to save the updated policy.
- Verify that the updated policy does not allow cross-account access.
By following these steps, you have successfully remediated the misconfiguration “Lambda Functions Should Not Allow Cross Account Access” in AWS.
To remediate the misconfiguration in AWS, you can follow the below steps:
-
Open the AWS CLI on your local machine or EC2 instance.
-
Run the following command to list all the Lambda functions in your AWS account:
aws lambda list-functions -
Identify the Lambda function that is allowing cross-account access.
-
Run the following command to update the Lambda function’s resource-based policy to deny cross-account access:
aws lambda remove-permission --function-name <function-name> --statement-id <statement-id>Replace
<function-name>with the name of the Lambda function that is allowing cross-account access, and<statement-id>with the ID of the statement that allows cross-account access.For example:
aws lambda remove-permission --function-name my-function --statement-id AllowCrossAccountAccess -
Verify that the resource-based policy has been updated by running the following command:
aws lambda get-policy --function-name <function-name>Replace
<function-name>with the name of the Lambda function that you updated.The output should show that the resource-based policy now denies cross-account access.
-
Repeat steps 4-5 for any other Lambda functions that are allowing cross-account access.
-
Once you have updated all the Lambda functions, verify that cross-account access is no longer allowed by attempting to access the Lambda function from a different AWS account.
By following these steps, you can remediate the misconfiguration and ensure that Lambda functions do not allow cross-account access in AWS.
To remediate the issue of Lambda functions allowing cross-account access in AWS, you can follow these steps using Python:
- Open the AWS Lambda console.
- Click on the Lambda function that is allowing cross-account access.
- Under the “Configuration” tab, click on “Permissions”.
- Click on the “Remove” button next to the role that is allowing cross-account access.
- Click on the “Add Permission” button.
- Select the “AWS Service” radio button.
- Choose the service that needs access to the Lambda function.
- Choose the “Use a permission policy” option.
- In the policy editor, add the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "lambda:*",
"Resource": "arn:aws:lambda:<region>:<account-id>:function:<function-name>",
"Condition": {
"ArnNotEquals": {
"aws:SourceArn": "arn:aws:logs:<region>:<account-id>:log-group:/aws/lambda/<function-name>:*"
}
}
}
]
}
Replace <region>, <account-id>, and <function-name> with the appropriate values for your Lambda function.
- Click on the “Add” button to save the new permission policy.
This policy will deny access to the Lambda function from any AWS account except for the specified service, and only if the request originates from the specified log group.