Profile Applicability:
- Level 1
Description:
AWS Lambda functions execute based on the permissions defined in their execution role, which is governed by AWS Identity and Access Management (IAM) policies. To minimize the risk of unauthorized access, it's essential to ensure that Lambda functions do not permit unknown cross-account access via these permission policies. Cross-account access should be carefully controlled to ensure that only authorized AWS accounts or IAM roles can invoke or interact with the Lambda functions.
Rationale:
Allowing unknown or overly permissive cross-account access increases the risk of unauthorized entities invoking Lambda functions. Cross-account permissions should be granted only when necessary, and only specific trusted AWS accounts or IAM roles should be allowed to invoke Lambda functions. Misconfigured or overly broad cross-account access can lead to potential security vulnerabilities, including unauthorized data exposure, manipulation, or misuse of services.
Key Risks:
Unauthorized access: Permitting unknown accounts or roles to access Lambda functions can lead to exploitation, malicious usage, or exposure of sensitive data.
Data integrity issues: Unauthorized access can result in unintended modifications or tampering with data.
Non-compliance: Regulatory standards such as HIPAA, PCI-DSS, and SOC 2 require strict control over who can access and invoke resources. Allowing unknown cross-account access could result in non-compliance.
Impact:
Pros:
Improved security by restricting Lambda function access to trusted and known AWS accounts.
Reduced attack surface by ensuring that only authorized accounts can invoke the function.
Helps maintain compliance with data protection regulations and internal security policies.
Cons:
Requires regular reviews and careful configuration of IAM policies and roles.
May need additional administrative effort to ensure that cross-account access is appropriately managed and restricted.
Changes to permission policies could temporarily affect access to Lambda functions by trusted accounts if not properly configured.
Default Value:
By default, Lambda functions only allow access to accounts or IAM roles explicitly granted permission. However, if IAM policies are overly permissive or misconfigured, they may inadvertently allow unknown cross-account access.
Pre-requisites:
AWS Identity and Access Management (IAM) permissions to manage Lambda execution roles and policies.
Awareness of the AWS accounts that should have access to the Lambda functions and the IAM roles in use.
Regular audits of IAM roles and policies related to Lambda functions to ensure that only authorized accounts can invoke the functions.
Remediation:
Test Plan:
Using AWS Console:
Log in to the AWS Management Console.
Navigate to the Lambda service and select the function you wish to inspect.
Under the "Configuration" tab, find the "Execution role" section. Click the role name to view its IAM role.
Review the policy attached to the IAM role. Ensure there are no Principal elements in the policy that allow cross-account access from unknown or unauthorized AWS accounts.
If the policy contains overly permissive statements, modify them to restrict access to trusted accounts or IAM roles only.
Ensure that any AWS:SourceArn or AWS:SourceAccount conditions are defined to limit the scope of cross-account access.
Test the Lambda function after making modifications to ensure that only authorized accounts can invoke the function.
Using AWS CLI:
Use the following AWS CLI command to retrieve the IAM role associated with the Lambda function:
aws lambda get-function-configuration --function-name <function-name> --query "Role"Retrieve the IAM policy attached to the Lambda execution role using the following command:
aws iam get-role-policy --role-name <role-name> --policy-name <policy-name>Review the policy to ensure that it does not allow unknown cross-account access.
Modify the IAM policy using the command to restrict access to trusted accounts or IAM roles only:
aws iam put-role-policy --role-name <role-name> --policy-name <policy-name> --policy-document file://updated-policy.json
Implementation Plan:
Using AWS Console:
Log in to the AWS Management Console and navigate to Lambda.
Select the Lambda function and review the execution role attached to it.
In the IAM console, review the policies associated with the Lambda execution role.
Modify any policy to ensure that only trusted accounts or IAM roles are listed in the Principal field for actions like lambda:InvokeFunction.
If necessary, update the role’s trust relationships to ensure only trusted accounts can assume the role.
Save and deploy the updated policies.
Test the Lambda function to verify that only authorized accounts can invoke the function.
Using AWS CLI:
Retrieve the IAM role associated with the Lambda function using
aws lambda get-function-configuration.
Check the associated IAM policy with elements are properly restricted.
aws iam get-role-policy
Modify the role policy using to ensure that cross-account access is only allowed for authorized accounts.
aws iam put-role-policy
Test the Lambda function after updating the policy to ensure that access is restricted.
Backout Plan:
Using AWS Console:
If issues occur after modifying the permissions, navigate to the IAM role associated with the Lambda function.
Review the previous configuration or revert to a backup of the original permissions.
Ensure that cross-account access is not inadvertently restricted for trusted accounts or roles.
Deploy the changes and test the function to ensure it works as expected.
Using AWS CLI:
If the changes caused issues, you can revert the IAM policy to the original version
aws iam put-role-policy
Re-test the Lambda function to ensure the necessary accounts have access.
References:
CIS Controls: