Description:
Lambda functions are event-driven functions that can be used to perform a variety of tasks, such as processing data, making API calls, and sending emails. By default, Lambda functions have a policy that allows them to access all AWS accounts. However, it is important to ensure that this policy is amended to only allow access to the AWS accounts that the function needs to access.
Rationale:
If the default policy is not amended, then the function could potentially access any AWS account. This could lead to data breaches, financial losses, or even system downtime.
Impact:
If the default policy is not amended, then this could have a significant impact on your organization. For example, if an attacker were to gain access to the function, they could use it to access your data or use it to launch other attacks. This could lead to data breaches, financial losses, or even system downtime.
Default Value:
By default, Lambda functions have a policy that allows them to access all AWS accounts. This policy is created when you create the function.
Pre-requisites:
- You must have an AWS account and be logged in to the AWS Management Console.
- You must have the
lambda:CreateFunction
permission.
Remediation Steps:
- Sign in to the AWS Management Console.
- Go to the AWS Lambda console.
- Select the function that you want to review.
- Click Permissions.
- Review the default policy.
- If the default policy allows the function to access all AWS accounts, amend the policy to only allow access to the AWS accounts that the function needs to access.
Test Plan:
- Verify that the default policy has been amended to only allow access to the AWS accounts that the function needs to access.
- Try to invoke the function from an AWS account that is not in the list of allowed accounts.
- If you are unable to invoke the function, then the default policy has been amended correctly.
Implementation Plan:
- Create a policy that only allows the function to access the AWS accounts that it needs to access.
- Implement the policy by attaching the policy to the function.
- Monitor the status of the policy to ensure that only authorized accounts can invoke the function.
AWS CLI Process:
- Run the following command to list the policies for the function:
aws lambda list-function-policies --function-name <function-name>
- Review the list of policies.
- If the default policy allows the function to access all AWS accounts, amend the policy to only allow access to the AWS accounts that the function needs to access.
- Run the following command to attach the policy to the function:
aws lambda add-permission --function-name <function-name> --statement-id <statement-id> --principal "*" --action lambda:InvokeFunction --source-arn <source-arn>
Using AWS GUI:
- Go to the AWS Lambda console.
- Select the function that you want to review.
- Click Permissions.
- Review the default policy.
- If the default policy allows the function to access all AWS accounts, amend the policy to only allow access to the AWS accounts that the function needs to access.
- Click Save.
Backout Plan:
- If you accidentally delete the default policy, you can restore it by running the following command:
aws lambda restore-function-policy --function-name <function-name> --policy-id <policy-id>
- You can also roll back the policy that only allows authorized accounts to invoke the function.
Note:
- This policy only applies to Lambda functions that have the default policy that allows them to access all AWS accounts.
- You can also use the AWS CLI or the AWS Lambda API to list, describe, and attach policies to Lambda functions.
- For more information, see the Lambda documentation: https://docs.aws.amazon.com/lambda/latest/dg/lambda-permissions.html