Description

Lambda functions are small, self-contained code snippets that can be triggered by events. They can be used to perform a variety of tasks, such as processing data, sending emails, or making API calls.

By default, Lambda functions are not publicly accessible. This means that only users with the appropriate permissions can invoke them. However, you can set the resource-based policy for a Lambda function to "Public". This will allow anyone to invoke the function.

Rationale

There are several reasons why you might want to set the resource-based policy for a Lambda function to "Public". For example, you might want to allow users to invoke the function from a public website. Or, you might want to allow other AWS services to invoke the function.

However, there are also some risks associated with setting the resource-based policy for a Lambda function to "Public". For example, if the function contains sensitive data, it could be accessed by unauthorized users.

Impact

If you set the resource-based policy for a Lambda function to "Public", anyone will be able to invoke the function. This means that the function could be used to perform unauthorized actions, such as accessing sensitive data or making unauthorized API calls.

Default Value

By default, the resource-based policy for a Lambda function is set to "Private". This means that only users with the appropriate permissions can invoke the function.

Pre-requisites

To set the resource-based policy for a Lambda function to "Public", you will need the following:

  • An AWS account
  • An IAM user or role with permissions to manage Lambda functions

Remediation Steps

To remediate this policy, you will need to change the resource-based policy for the Lambda function to "Private". Here are the steps involved:

  1. Go to the AWS Lambda console.
  2. Select the Lambda function that you want to change the policy for.
  3. Click on the "Permissions" tab.
  4. Click on the "Edit" button next to the "Resource-based policy" section.
  5. In the "Policy document" editor, change the "Principal" element to "AWS: "*"".
  6. Click on the "Save" button.

Test Plan

To test that the resource-based policy for the Lambda function is set to "Private", you can use the following steps:

  1. Try to invoke the Lambda function from a public website.
  2. The function should not be invoked.

Implementation Plan

The implementation plan for this policy is as follows:

  1. Change the resource-based policy for the Lambda function to "Private".
  2. Test that the function can no longer be invoked from a public website.

AWS CLI Process

To change the resource-based policy for a Lambda function to "Public" using the AWS CLI, you can use the following command:

aws lambda update-function-configuration --function-name <function-name> --principal "*"

Using AWS GUI

To change the resource-based policy for a Lambda function to "Public" using the AWS GUI, you can follow these steps:

  1. Go to the AWS Lambda console.
  2. Select the Lambda function that you want to change the policy for.
  3. Click on the "Permissions" tab.
  4. Click on the "Edit" button next to the "Resource-based policy" section.
  5. In the "Policy document" editor, change the "Principal" element to "AWS: "*"".
  6. Click on the "Save" button.

Backout Plan

To backout of this policy, you can simply change the resource-based policy for the Lambda function back to "Private".

Note

This policy does not apply to Lambda functions that are invoked by AWS services. For example, if a Lambda function is invoked by Amazon S3, the resource-based policy for the Lambda function will not be used.

Reference

  • AWS Lambda documentation: https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html

Section 2: Tags and Keywords

  • Tags: Lambda, policy, public, security
  • Keywords: resource-based policy, access control, security