AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Lambda Functions Should Not Be Publicly Accessible
More Info:
Any publicly accessible AWS Lambda functions should be identified and their access policy should be updated in order to protect against unauthorized users that are sending requests to invoke these functions.
Risk Level
Medium
Address
Security
Compliance Standards
HIPAA, PCIDSS, NIST, SOC2, HITRUST, AWSWAF, NISTCSF
Triage and Remediation
Remediation
Here are the step-by-step instructions to remediate the issue of publicly accessible Lambda functions in AWS console:
- Log in to your AWS Management Console.
- Navigate to the AWS Lambda service.
- Select the Lambda function that you want to remediate.
- Click on the “Configuration” tab.
- Scroll down to the “Network” section.
- Under “Network”, you will see the “Lambda function” section. Click on the “Edit” button.
- You will see the “Configure Function” page. Under the “General configuration” section, you will see the “VPC” and “Public network access” options.
- Select the VPC that the Lambda function should be associated with.
- Under “Public network access”, select “Disable” to prevent the Lambda function from being publicly accessible.
- Click on the “Save” button to save the changes.
Once you have completed these steps, your Lambda function will no longer be publicly accessible and will only be accessible within the specified VPC.
To remediate the issue of Lambda Functions being publicly accessible in AWS, you can follow the below steps:
-
Open the AWS CLI on your local machine.
-
Run the following command to get the list of all Lambda Functions in your AWS account:
aws lambda list-functions
-
Identify the Lambda Function(s) that are publicly accessible.
-
Run the following command to update the access control policy of the identified Lambda Function(s):
aws lambda update-function-configuration --function-name <function-name> --vpc-config SubnetIds=<subnet-ids>,SecurityGroupIds=<security-group-ids>
Replace <function-name> with the name of the identified Lambda Function and <subnet-ids> and <security-group-ids> with the IDs of the subnets and security groups that you want to associate with the Lambda Function.
- Once the access control policy is updated, run the following command to verify that the Lambda Function is no longer publicly accessible:
aws lambda get-policy --function-name <function-name>
This should return the access control policy of the Lambda Function. Verify that the policy restricts public access to the Lambda Function.
- Repeat steps 4 and 5 for all the identified Lambda Functions that are publicly accessible.
By following the above steps, you can remediate the issue of Lambda Functions being publicly accessible in AWS.
To remediate the issue of publicly accessible Lambda functions in AWS using Python, you can follow these steps:
Step 1: Open the AWS Lambda function console.
Step 2: Select the Lambda function that you want to remediate.
Step 3: Scroll down to the “Configuration” section and click on the “Permissions” tab.
Step 4: In the “Permissions” tab, you will see a section called “Resource-based policy”. Click on the “Edit” button next to it.
Step 5: In the “Edit Resource-based policy” window, you will see the “Principal” section. This section specifies the AWS account or IAM user that is allowed to access the Lambda function.
Step 6: To remediate the issue, you need to remove the “Principal” section or replace it with a specific AWS account or IAM user that is authorized to access the Lambda function.
Step 7: You can use the following Python code to remove the “Principal” section from the Lambda function’s resource-based policy:
import boto3
import json
# Replace 'lambda_function_name' with your Lambda function name
lambda_function_name = 'my_lambda_function'
lambda_client = boto3.client('lambda')
# Get the current resource-based policy of the Lambda function
response = lambda_client.get_policy(FunctionName=lambda_function_name)
policy = json.loads(response['Policy'])
# Remove the 'Principal' section from the resource-based policy
del policy['Statement'][0]['Principal']
# Update the resource-based policy of the Lambda function
lambda_client.add_permission(
FunctionName=lambda_function_name,
StatementId='1',
Action='lambda:InvokeFunction',
Principal='',
SourceArn='',
SourceAccount='',
EventSourceToken='',
Qualifier='',
RevisionId='',
Policy=json.dumps(policy)
)
print('Resource-based policy updated successfully')
Note: Make sure that you have the necessary permissions to modify the Lambda function’s resource-based policy.