Profile Applicability:
- Level 1
Description:
AWS Lambda functions should not be exposed to everyone, as this can lead to unauthorized access, misuse, and security vulnerabilities. Lambda functions are typically triggered by other AWS services, APIs, or events, and it is essential to ensure that access to these functions is limited to authorized users and services only. Exposing Lambda functions to everyone (e.g., making them publicly accessible through API Gateway or misconfigured IAM policies) increases the attack surface and opens the potential for abuse or exploitation.
Rationale:
Lambda functions are powerful and can process sensitive data or interact with critical services. Exposing them to everyone—whether intentionally or accidentally—can lead to serious security breaches, data leaks, or unauthorized operations. It is important to configure access permissions for Lambda functions carefully to ensure they are not publicly accessible, except when explicitly needed for specific use cases (e.g., public APIs)
Impact:
Pros:
Ensures Lambda functions are accessible only by authorized users or services, reducing the attack surface.
Limits potential exposure of sensitive data and ensures only trusted sources can interact with the function.
Helps maintain compliance with security standards and industry regulations.
Cons:
Requires regular access reviews and audits to ensure that only necessary users or services have permission to invoke the Lambda function.
Changes to permissions may impact integrations with other services, so testing is required to verify functionality after modifying access.
Could potentially limit access to legitimate use cases if not properly managed.
Default Value:
By default, Lambda functions are private and can only be invoked by the AWS account or IAM roles associated with them. However, misconfigurations, such as overly permissive IAM policies or incorrect API Gateway settings, can expose them to the public.
Pre-requisites:
AWS Identity and Access Management (IAM) permissions to manage Lambda functions, roles, and policies.
Knowledge of the services or users that should have access to the Lambda function.
Regular monitoring and auditing of Lambda function access controls to ensure proper security configurations.
Remediation:
Test Plan:
Using AWS Console:
Log in to the AWS Management Console.
Navigate to the Lambda service and select the Lambda function you want to secure.
Review the function's permissions under the "Execution role" section. Ensure that the role does not include overly permissive policies like lambda:InvokeFunction with a Principal set to "*" or "everyone."
If the Lambda function is exposed via API Gateway, go to the API Gateway console, select the API, and check the Method Request settings. Ensure that access is restricted to authorized users and that the API is not publicly accessible (e.g., by using IAM authentication, API keys, or Lambda authorizers).
Ensure that the Lambda function does not have any publicly accessible triggers (e.g., open S3 bucket event notifications, SNS topics, or CloudWatch events).
If the function is triggered by an event source, confirm that the permissions to invoke the function are restricted to the intended services or accounts.
Test the Lambda function to verify that only authorized accounts or services can invoke it.
Using AWS CLI:
Use the following AWS CLI command to retrieve the permissions for the Lambda function:
aws lambda get-policy --function-name <function-name>
Review the response to ensure that there are no Principal elements set to "*" or any unauthorized accounts listed.
If you find any issues, use the command to remove the public permissions:
aws lambda remove-permission aws lambda remove-permission --function-name <function-name> --principal "*"
If the function is exposed through API Gateway, use the following command to check if public access is enabled:
aws apigateway get-rest-apis
Ensure that only authorized users or roles are listed in the access control settings.
Implementation Plan:
Using AWS Console:
Log in to the AWS Management Console and navigate to Lambda.
Select the Lambda function you want to secure.
In the "Configuration" tab, under the "Execution role," review the associated IAM role. Ensure that there are no permissions that allow all users to invoke the function.
If the function is exposed through API Gateway, go to the API Gateway console and ensure that access is restricted (e.g., using IAM authentication or API keys).
Modify the permissions to restrict access only to trusted services, roles, or accounts.
Save and deploy the changes.
Test the Lambda function to confirm that only authorized services or users can invoke it.
Using AWS CLI:
Use the command to review the Lambda function's policy.
aws lambda get-policy
If the policy allows public access (Principal: "*") or any unauthorized accounts, remove the permissions using the command.
aws lambda remove-permission
Review the associated API Gateway settings using the a command. Ensure that public access is disabled and access is restricted to authenticated users or roles.
aws apigateway get-rest-apis
Modify the IAM roles or API Gateway settings as necessary and deploy the changes.
Test the Lambda function to ensure that only authorized entities can access it.
Backout Plan:
Using AWS Console:
If issues occur after modifying the permissions, navigate back to the Lambda function's permissions and review the previous configuration.
Revert any changes that unintentionally restricted access to authorized users or services.
Ensure that only authorized access is allowed, and test the function to ensure it works correctly.
Using AWS CLI:
If the changes caused unintended disruptions, use the following command to revert the permissions to the original state:
aws lambda add-permission --function-name <function-name> --principal <authorized-principal> --action lambda:InvokeFunction
Re-test the Lambda function to ensure that the appropriate access is restored and only authorized entities can invoke it.
References:
CIS Controls: