> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Lambda Functions Should Not Be Publicly Accessible

### More Info:

Any publicly accessible AWS Lambda functions should be identified and their access policy should be updated in order to protect against unauthorized users that are sending requests to invoke these functions.

### Risk Level

Medium

### Address

Security

### Compliance Standards

HIPAA, PCIDSS, NIST, SOC2, HITRUST, AWSWAF, NISTCSF

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        Here are the step-by-step instructions to remediate the issue of publicly accessible Lambda functions in AWS console:

        1. Log in to your AWS Management Console.
        2. Navigate to the AWS Lambda service.
        3. Select the Lambda function that you want to remediate.
        4. Click on the "Configuration" tab.
        5. Scroll down to the "Network" section.
        6. Under "Network", you will see the "Lambda function" section. Click on the "Edit" button.
        7. You will see the "Configure Function" page. Under the "General configuration" section, you will see the "VPC" and "Public network access" options.
        8. Select the VPC that the Lambda function should be associated with.
        9. Under "Public network access", select "Disable" to prevent the Lambda function from being publicly accessible.
        10. Click on the "Save" button to save the changes.

        Once you have completed these steps, your Lambda function will no longer be publicly accessible and will only be accessible within the specified VPC.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the issue of Lambda Functions being publicly accessible in AWS, you can follow the below steps:

        1. Open the AWS CLI on your local machine.

        2. Run the following command to get the list of all Lambda Functions in your AWS account:

        ```
        aws lambda list-functions
        ```

        3. Identify the Lambda Function(s) that are publicly accessible.

        4. Run the following command to update the access control policy of the identified Lambda Function(s):

        ```
        aws lambda update-function-configuration --function-name <function-name> --vpc-config SubnetIds=<subnet-ids>,SecurityGroupIds=<security-group-ids>
        ```

        Replace `<function-name>` with the name of the identified Lambda Function and `<subnet-ids>` and `<security-group-ids>` with the IDs of the subnets and security groups that you want to associate with the Lambda Function.

        5. Once the access control policy is updated, run the following command to verify that the Lambda Function is no longer publicly accessible:

        ```
        aws lambda get-policy --function-name <function-name>
        ```

        This should return the access control policy of the Lambda Function. Verify that the policy restricts public access to the Lambda Function.

        6. Repeat steps 4 and 5 for all the identified Lambda Functions that are publicly accessible.

        By following the above steps, you can remediate the issue of Lambda Functions being publicly accessible in AWS.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the issue of publicly accessible Lambda functions in AWS using Python, you can follow these steps:

        Step 1: Open the AWS Lambda function console.

        Step 2: Select the Lambda function that you want to remediate.

        Step 3: Scroll down to the "Configuration" section and click on the "Permissions" tab.

        Step 4: In the "Permissions" tab, you will see a section called "Resource-based policy". Click on the "Edit" button next to it.

        Step 5: In the "Edit Resource-based policy" window, you will see the "Principal" section. This section specifies the AWS account or IAM user that is allowed to access the Lambda function.

        Step 6: To remediate the issue, you need to remove the "Principal" section or replace it with a specific AWS account or IAM user that is authorized to access the Lambda function.

        Step 7: You can use the following Python code to remove the "Principal" section from the Lambda function's resource-based policy:

        ```
        import boto3
        import json

        # Replace 'lambda_function_name' with your Lambda function name
        lambda_function_name = 'my_lambda_function'

        lambda_client = boto3.client('lambda')

        # Get the current resource-based policy of the Lambda function
        response = lambda_client.get_policy(FunctionName=lambda_function_name)
        policy = json.loads(response['Policy'])

        # Remove the 'Principal' section from the resource-based policy
        del policy['Statement'][0]['Principal']

        # Update the resource-based policy of the Lambda function
        lambda_client.add_permission(
            FunctionName=lambda_function_name,
            StatementId='1',
            Action='lambda:InvokeFunction',
            Principal='',
            SourceArn='',
            SourceAccount='',
            EventSourceToken='',
            Qualifier='',
            RevisionId='',
            Policy=json.dumps(policy)
        )

        print('Resource-based policy updated successfully')
        ```

        Note: Make sure that you have the necessary permissions to modify the Lambda function's resource-based policy.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html)
