Check cross account access remediation

Using Console

Using CLI

To remediate the misconfiguration in AWS, you can follow the below steps:

Open the AWS CLI on your local machine or EC2 instance.
Run the following command to list all the Lambda functions in your AWS account:
```
aws lambda list-functions
```
Identify the Lambda function that is allowing cross-account access.
Run the following command to update the Lambda function’s resource-based policy to deny cross-account access:
```
aws lambda remove-permission --function-name <function-name> --statement-id <statement-id>
```
Replace <function-name> with the name of the Lambda function that is allowing cross-account access, and <statement-id> with the ID of the statement that allows cross-account access. For example:
```
aws lambda remove-permission --function-name my-function --statement-id AllowCrossAccountAccess
```
Verify that the resource-based policy has been updated by running the following command:
```
aws lambda get-policy --function-name <function-name>
```
Replace <function-name> with the name of the Lambda function that you updated. The output should show that the resource-based policy now denies cross-account access.
Repeat steps 4-5 for any other Lambda functions that are allowing cross-account access.
Once you have updated all the Lambda functions, verify that cross-account access is no longer allowed by attempting to access the Lambda function from a different AWS account.

By following these steps, you can remediate the misconfiguration and ensure that Lambda functions do not allow cross-account access in AWS.

Using Python

To remediate the issue of Lambda functions allowing cross-account access in AWS, you can follow these steps using Python:

Open the AWS Lambda console.
Click on the Lambda function that is allowing cross-account access.
Under the “Configuration” tab, click on “Permissions”.
Click on the “Remove” button next to the role that is allowing cross-account access.
Click on the “Add Permission” button.
Select the “AWS Service” radio button.
Choose the service that needs access to the Lambda function.
Choose the “Use a permission policy” option.
In the policy editor, add the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "lambda:*",
      "Resource": "arn:aws:lambda:<region>:<account-id>:function:<function-name>",
      "Condition": {
        "ArnNotEquals": {
          "aws:SourceArn": "arn:aws:logs:<region>:<account-id>:log-group:/aws/lambda/<function-name>:*"
        }
      }
    }
  ]
}

Replace <region>, <account-id>, and <function-name> with the appropriate values for your Lambda function.

Click on the “Add” button to save the new permission policy.

This policy will deny access to the Lambda function from any AWS account except for the specified service, and only if the request originates from the specified log group.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Check cross account access remediation

Triage and Remediation

Remediation