Description:

AWS Lambda is serverless compute service that runs your code in response to events and automatically manages the underlying compute resources for you. It is also used for extending other AWS services with custom logic or creating your back-end services that operate at AWS scale, performance, and security.

The code you run on AWS Lambda is called a Lambda function. These functions are stateless. After uploading your code to AWS Lambda, you can associate your function with a specific AWS resource.


Rationale:

Identify any publicly accessible AWS Lambda functions and update their access policy to protect against unauthorized users that are sending requests to invoke these functions.


Impact:

Unauthorized users or malicious users will not able to modify sources in the Lambda function over the internet. Unable to do any malicious activity after prohibited the public access of Lambda.


Default value:

By default, we added resources that we want to allow. 


Pre-Requisite:

  • Sign in as an admin or IAM user with the required permissions

  • Decide principle, action, and conditions for the policy

  • Note down the policy statement configurations as backup


Remediation:


Test Plan:

  1. Log in to the AWS Management Console.

  2. Go to the Lambda dashboard at https://console.aws.amazon.com/lambda/.

  3. Click on the Function, in the navigation pane

  4. Choose the Lambda function that you want to examine and click on the function name

  5. Go to the configuration tab and click on permissions

  6. Scroll down to the Resource-based policy section and click on the policy statement that exists

  7. It will show up in the statement, make sure it should have principal and conditions defined

If the Principal element has one of the following values: "*" or { "AWS": "*" } and the function policy is not using any Condition then it means the function is public.


Using AWS CLI:

To know the permissions in the lambda function 

aws lambda get-policy \
    --function-name <value>

 

Implementation Steps:

  1. Log in to the AWS Management Console.

  2. Go to the Lambda dashboard at https://console.aws.amazon.com/lambda/.

  3. Click on the Function, in the navigation pane

  4. Choose the Lambda function that you want to modify and click on the function name
  5. Go to the configuration tab and click on permissions
  6. Scroll down to the Resource-based policy section and select the policy statement and click on Edit
  7. Specify the principal and source ARN in the policy statement, as you required, and click on save


Using AWS CLI:

To add the permission to lambda function

aws lambda add-permission \
    --function-name my-function \
    --action lambda:InvokeFunction \
    --statement-id sns \
    --principal sns.amazonaws.com



Backout Plan

To revoke the changes repeat the same implementation steps and specify the policy statement as you noted down.


Reference:

  1. lambda-function-public-access-prohibited - AWS Config

  2.  What is AWS Lambda? - AWS Lambda