Lambda Functions Should Not Be Publicly Accessible
More Info:
Any publicly accessible AWS Lambda functions should be identified and their access policy should be updated in order to protect against unauthorized users that are sending requests to invoke these functions.Risk Level
MediumAddress
SecurityCompliance Standards
HIPAA, PCIDSS, NIST, SOC2, HITRUST, AWSWAF, NISTCSFTriage and Remediation
Remediation
Using Console
Using Console
Here are the step-by-step instructions to remediate the issue of publicly accessible Lambda functions in AWS console:
- Log in to your AWS Management Console.
- Navigate to the AWS Lambda service.
- Select the Lambda function that you want to remediate.
- Click on the “Configuration” tab.
- Scroll down to the “Network” section.
- Under “Network”, you will see the “Lambda function” section. Click on the “Edit” button.
- You will see the “Configure Function” page. Under the “General configuration” section, you will see the “VPC” and “Public network access” options.
- Select the VPC that the Lambda function should be associated with.
- Under “Public network access”, select “Disable” to prevent the Lambda function from being publicly accessible.
- Click on the “Save” button to save the changes.
Using CLI
Using CLI
To remediate the issue of Lambda Functions being publicly accessible in AWS, you can follow the below steps:Replace This should return the access control policy of the Lambda Function. Verify that the policy restricts public access to the Lambda Function.
- Open the AWS CLI on your local machine.
- Run the following command to get the list of all Lambda Functions in your AWS account:
- Identify the Lambda Function(s) that are publicly accessible.
- Run the following command to update the access control policy of the identified Lambda Function(s):
<function-name> with the name of the identified Lambda Function and <subnet-ids> and <security-group-ids> with the IDs of the subnets and security groups that you want to associate with the Lambda Function.- Once the access control policy is updated, run the following command to verify that the Lambda Function is no longer publicly accessible:
- Repeat steps 4 and 5 for all the identified Lambda Functions that are publicly accessible.
Using Python
Using Python
To remediate the issue of publicly accessible Lambda functions in AWS using Python, you can follow these steps:Step 1: Open the AWS Lambda function console.Step 2: Select the Lambda function that you want to remediate.Step 3: Scroll down to the “Configuration” section and click on the “Permissions” tab.Step 4: In the “Permissions” tab, you will see a section called “Resource-based policy”. Click on the “Edit” button next to it.Step 5: In the “Edit Resource-based policy” window, you will see the “Principal” section. This section specifies the AWS account or IAM user that is allowed to access the Lambda function.Step 6: To remediate the issue, you need to remove the “Principal” section or replace it with a specific AWS account or IAM user that is authorized to access the Lambda function.Step 7: You can use the following Python code to remove the “Principal” section from the Lambda function’s resource-based policy:Note: Make sure that you have the necessary permissions to modify the Lambda function’s resource-based policy.