> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Lambda Functions Should Not Have Administrative Permissions

### More Info:

Your Amazon Lambda functions should not have administrative permissions in order to promote the Principle of Least Privilege.

### Risk Level

High

### Address

Security

### Compliance Standards

PCIDSS, HIPAA

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Sure, here are the step-by-step instructions to remediate the misconfiguration of Lambda Functions having administrative permissions in AWS:

        1. Open the AWS Management Console and navigate to the AWS Lambda service.

        2. Select the Lambda function for which you want to remediate the misconfiguration.

        3. In the "Configuration" tab, click on the "Permissions" section.

        4. Under the "Execution role" section, click on the role name to open the "IAM Console".

        5. In the "IAM Console", click on the "Permissions" tab.

        6. Click on the "Attach policies" button.

        7. Search for the policy "AWSLambdaBasicExecutionRole" and select it.

        8. Click on the "Attach policy" button to attach the policy to the role.

        9. Remove any other policies that provide administrative permissions to the Lambda function.

        10. Save the changes and exit the "IAM Console".

        By following these steps, you will remediate the misconfiguration of Lambda Functions having administrative permissions in AWS.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the misconfiguration "Lambda Functions Should Not Have Administrative Permissions" in AWS using AWS CLI, follow the below steps:

        1. Open the AWS CLI on your local machine.

        2. Run the following command to list all the Lambda functions in your AWS account:

        ```
        aws lambda list-functions
        ```

        3. Identify the Lambda function(s) that have administrative permissions.

        4. Run the following command to remove the administrative permissions from the Lambda function(s):

        ```
        aws lambda remove-permission --function-name <function_name> --statement-id <statement_id>
        ```

        Replace `<function_name>` with the name of the Lambda function and `<statement_id>` with the statement ID of the administrative permission.

        5. Verify that the administrative permission has been removed by running the following command:

        ```
        aws lambda get-policy --function-name <function_name>
        ```

        This command should return an empty policy, indicating that the Lambda function no longer has administrative permissions.

        6. Repeat steps 4 and 5 for all the Lambda functions that have administrative permissions.

        7. Once you have removed the administrative permissions from all the Lambda functions, verify the remediation by running a compliance check using a tool like AWS Config.

        By following these steps, you can remediate the misconfiguration "Lambda Functions Should Not Have Administrative Permissions" in AWS using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate this misconfiguration in AWS, you can follow these steps using Python:

        1. Identify the Lambda functions that have administrative permissions by checking the `Role` attached to the function.

        2. Create a new IAM Role with the necessary permissions that the Lambda function requires and attach it to the function. This new role should have the least privilege required for the function to operate.

        3. Update the function's execution role to the new role using the AWS SDK for Python, `boto3`.

        Here's the sample Python code:

        ```python theme={null}
        import boto3

        # Initialize the AWS clients
        lambda_client = boto3.client('lambda')
        iam_client = boto3.client('iam')

        # Get the list of all Lambda functions
        functions = lambda_client.list_functions()

        # Iterate through each function and check if it has administrative permissions
        for function in functions['Functions']:
            role_name = function['Role'].split('/')[-1]
            
            # Check if the role has administrative permissions
            policy = iam_client.get_role_policy(RoleName=role_name, PolicyName='AdministratorAccess')
            
            if 'Statement' in policy['PolicyDocument']:
                # Create a new role with the necessary permissions
                new_role = iam_client.create_role(
                    RoleName='new-lambda-role',
                    AssumeRolePolicyDocument='''{
                        "Version": "2012-10-17",
                        "Statement": [
                            {
                                "Effect": "Allow",
                                "Principal": {
                                    "Service": "lambda.amazonaws.com"
                                },
                                "Action": "sts:AssumeRole"
                            }
                        ]
                    }'''
                )
                
                # Attach the new role to the Lambda function
                lambda_client.update_function_configuration(
                    FunctionName=function['FunctionName'],
                    Role=new_role['Role']['Arn']
                )
                
                # Update the new role with the necessary permissions
                iam_client.put_role_policy(
                    RoleName='new-lambda-role',
                    PolicyName='lambda-permissions',
                    PolicyDocument='''{
                        "Version": "2012-10-17",
                        "Statement": [
                            {
                                "Effect": "Allow",
                                "Action": [
                                    "logs:CreateLogGroup",
                                    "logs:CreateLogStream",
                                    "logs:PutLogEvents"
                                ],
                                "Resource": "arn:aws:logs:*:*:*"
                            },
                            {
                                "Effect": "Allow",
                                "Action": [
                                    "s3:GetObject",
                                    "s3:PutObject"
                                ],
                                "Resource": "arn:aws:s3:::bucket-name/*"
                            }
                        ]
                    }'''
                )
        ```

        This code will create a new IAM Role named `new-lambda-role` with the necessary permissions for the Lambda function to operate. It will then update the function's execution role to the new role. Finally, it will update the new role with the necessary permissions.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/lambda/latest/dg/lambda-permissions.html](https://docs.aws.amazon.com/lambda/latest/dg/lambda-permissions.html)
