Lambda Functions Should Not Allow Cross Account Access

More Info:

Your Amazon Lambda functions should be configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account access.

Risk Level

Medium

Address

Security

Compliance Standards

HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration in AWS, you can follow the below steps:

Open the AWS CLI on your local machine or EC2 instance.
Run the following command to list all the Lambda functions in your AWS account:
```
aws lambda list-functions
```
Identify the Lambda function that is allowing cross-account access.
Run the following command to update the Lambda function’s resource-based policy to deny cross-account access:
```
aws lambda remove-permission --function-name <function-name> --statement-id <statement-id>
```
Replace <function-name> with the name of the Lambda function that is allowing cross-account access, and <statement-id> with the ID of the statement that allows cross-account access. For example:
```
aws lambda remove-permission --function-name my-function --statement-id AllowCrossAccountAccess
```
Verify that the resource-based policy has been updated by running the following command:
```
aws lambda get-policy --function-name <function-name>
```
Replace <function-name> with the name of the Lambda function that you updated. The output should show that the resource-based policy now denies cross-account access.
Repeat steps 4-5 for any other Lambda functions that are allowing cross-account access.
Once you have updated all the Lambda functions, verify that cross-account access is no longer allowed by attempting to access the Lambda function from a different AWS account.

By following these steps, you can remediate the misconfiguration and ensure that Lambda functions do not allow cross-account access in AWS.

Using Python

To remediate the issue of Lambda functions allowing cross-account access in AWS, you can follow these steps using Python:

Open the AWS Lambda console.
Click on the Lambda function that is allowing cross-account access.
Under the “Configuration” tab, click on “Permissions”.
Click on the “Remove” button next to the role that is allowing cross-account access.
Click on the “Add Permission” button.
Select the “AWS Service” radio button.
Choose the service that needs access to the Lambda function.
Choose the “Use a permission policy” option.
In the policy editor, add the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "lambda:*",
      "Resource": "arn:aws:lambda:<region>:<account-id>:function:<function-name>",
      "Condition": {
        "ArnNotEquals": {
          "aws:SourceArn": "arn:aws:logs:<region>:<account-id>:log-group:/aws/lambda/<function-name>:*"
        }
      }
    }
  ]
}

Replace <region>, <account-id>, and <function-name> with the appropriate values for your Lambda function.

Click on the “Add” button to save the new permission policy.

This policy will deny access to the Lambda function from any AWS account except for the specified service, and only if the request originates from the specified log group.

Additional Reading:

https://docs.aws.amazon.com/lambda/latest/dg/access-control-identity-based.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Lambda Functions Should Not Allow Cross Account Access

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: