Publicly accessible remediation

Using Console

Using CLI

To remediate the issue of Lambda Functions being publicly accessible in AWS, you can follow the below steps:

Open the AWS CLI on your local machine.
Run the following command to get the list of all Lambda Functions in your AWS account:

aws lambda list-functions

Identify the Lambda Function(s) that are publicly accessible.
Run the following command to update the access control policy of the identified Lambda Function(s):

aws lambda update-function-configuration --function-name <function-name> --vpc-config SubnetIds=<subnet-ids>,SecurityGroupIds=<security-group-ids>

Replace <function-name> with the name of the identified Lambda Function and <subnet-ids> and <security-group-ids> with the IDs of the subnets and security groups that you want to associate with the Lambda Function.

Once the access control policy is updated, run the following command to verify that the Lambda Function is no longer publicly accessible:

aws lambda get-policy --function-name <function-name>

This should return the access control policy of the Lambda Function. Verify that the policy restricts public access to the Lambda Function.

Repeat steps 4 and 5 for all the identified Lambda Functions that are publicly accessible.

By following the above steps, you can remediate the issue of Lambda Functions being publicly accessible in AWS.

Using Python

To remediate the issue of publicly accessible Lambda functions in AWS using Python, you can follow these steps:Step 1: Open the AWS Lambda function console.Step 2: Select the Lambda function that you want to remediate.Step 3: Scroll down to the “Configuration” section and click on the “Permissions” tab.Step 4: In the “Permissions” tab, you will see a section called “Resource-based policy”. Click on the “Edit” button next to it.Step 5: In the “Edit Resource-based policy” window, you will see the “Principal” section. This section specifies the AWS account or IAM user that is allowed to access the Lambda function.Step 6: To remediate the issue, you need to remove the “Principal” section or replace it with a specific AWS account or IAM user that is authorized to access the Lambda function.Step 7: You can use the following Python code to remove the “Principal” section from the Lambda function’s resource-based policy:

import boto3
import json

# Replace 'lambda_function_name' with your Lambda function name
lambda_function_name = 'my_lambda_function'

lambda_client = boto3.client('lambda')

# Get the current resource-based policy of the Lambda function
response = lambda_client.get_policy(FunctionName=lambda_function_name)
policy = json.loads(response['Policy'])

# Remove the 'Principal' section from the resource-based policy
del policy['Statement'][0]['Principal']

# Update the resource-based policy of the Lambda function
lambda_client.add_permission(
    FunctionName=lambda_function_name,
    StatementId='1',
    Action='lambda:InvokeFunction',
    Principal='',
    SourceArn='',
    SourceAccount='',
    EventSourceToken='',
    Qualifier='',
    RevisionId='',
    Policy=json.dumps(policy)
)

print('Resource-based policy updated successfully')

Note: Make sure that you have the necessary permissions to modify the Lambda function’s resource-based policy.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Publicly accessible remediation

Triage and Remediation

Remediation