Profile Applicability:
Level 1
Description:
AWS Lambda allows resource-based policies, which enable you to grant other AWS accounts or services permissions to invoke your Lambda functions. A resource-based policy is typically used to allow Amazon S3, API Gateway, or other services to invoke the Lambda function. However, setting a Lambda function's resource-based policy to public (i.e., accessible by any AWS account or the public internet) can pose significant security risks, including unauthorized invocation and misuse of your function.
This SOP ensures that Lambda functions are not publicly accessible by verifying that their resource-based policies are not set to public.
Rationale:
Security Risk: A public Lambda function policy exposes the function to anyone on the internet, increasing the risk of unauthorized access and potential abuse.
Access Control: Ensuring that Lambda functions have properly configured resource-based policies helps maintain strict access control, limiting invocations to trusted AWS accounts or services.
Compliance: Many compliance frameworks (e.g., SOC 2, PCI-DSS, HIPAA) require that access to serverless resources like Lambda be tightly controlled and not publicly accessible.
Prevent Misuse: Public policies can lead to potential misuse, where malicious actors invoke the function for unauthorized purposes, potentially leading to service degradation, data leakage, or financial costs.
Impact:
Pros:
Improved Security: By restricting Lambda access to trusted sources, you reduce the risk of unauthorized or malicious invocations.
Better Access Control: Ensures that only designated AWS accounts or services can invoke the Lambda function, providing tighter security.
Compliance: Helps meet security best practices and regulatory requirements for access control.
Cons:
Administrative Overhead: Verifying and adjusting Lambda policies may require additional configuration effort.
Limited Access: If public access is needed for certain services (e.g., public APIs), restricting Lambda to non-public access may complicate configurations.
Default Value:
By default, Lambda functions do not have resource-based policies set to public. If a Lambda function needs to be invoked by an external service, you must explicitly set permissions for that service. However, if resource-based policies are improperly configured, they could inadvertently grant public access.
Pre-requisite:
AWS IAM Permissions:
lambda:ListFunctions
lambda:GetPolicy
lambda:RemovePermission
AWS CLI installed and configured.
Lambda functions must be accessible and properly configured in the AWS environment.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to AWS Lambda under Services.
In the Lambda Dashboard, select the function you want to review.
Under the Configuration tab, go to Permissions and look for Resource-based policy.
If the Policy grants access to "Principal": "*" or similar, this means the Lambda function is publicly accessible.
If a Lambda function has a public policy, modify it by limiting the Principal to trusted AWS accounts, roles, or services.
Using AWS CLI:
To check if the resource-based policy for a Lambda function allows public access, run:
aws lambda get-policy --function-name <function-name>
In the output, look for the "Principal": "*" field. If this exists, the function is publicly accessible.
If a public policy exists, remove it or restrict it to the desired AWS accounts by running:
aws lambda remove-permission --function-name <function-name> --statement-id <statement-id>
Alternatively, you can restrict the policy by adding a new permission that limits access:
aws lambda add-permission --function-name <function-name> --principal <trusted-principal> --statement-id <new-statement-id> --action lambda:InvokeFunction
Implementation Steps:
Using AWS Console:
Log in to the AWS Management Console and navigate to AWS Lambda.
In the Lambda Dashboard, select the function you want to check.
Under the Configuration tab, click on Permissions.
Review the Resource-based policy section:
If you see any public permissions, such as "Principal": "*" in the policy, modify the policy by restricting it to the required principals (e.g., specific AWS accounts or services).
Save the changes to ensure the Lambda function is no longer publicly accessible.
Using AWS CLI:
To retrieve the Lambda function's resource-based policy, run:
aws lambda get-policy --function-name <function-name>
If the policy shows public access, remove it with:
aws lambda remove-permission --function-name <function-name> --statement-id <statement-id>
To add a more restrictive permission:
aws lambda add-permission --function-name <function-name> --principal <trusted-principal> --statement-id <new-statement-id> --action lambda:InvokeFunction
Backout Plan:
Console Process
Go to the AWS Lambda Console:
Open the AWS Lambda console and select your function.
View Resource-Based Policy:
Navigate to the Configuration tab and select Permissions.
Scroll down to Resource-based policy and click View policy document.
Check if the policy allows public access (e.g., Principal is set to *).
CLI Process
Get the Resource-Based Policy:
aws lambda get-policy --function-name <function-name>
Check the Output:
Look for the Principal field in the policy. If it is set to *, the function is publicly accessible.
Note:
Security Groups: Consider using Security Groups or VPC configurations for Lambda functions to further restrict access to resources and enhance security.
Monitoring: After making changes, monitor your Lambda function’s logs and invocations to ensure that it is functioning as expected and that no unintended access occurs.
References:
AWS Lambda Documentation: Resource-Based Policies