AWS-Lambda-excess-permission-removed

Severity: High

Description: This control uses last 90 days Access Advisor report to ensure that Lambda function do not have excess permissions. Access advisor can give insights into the Role and the behavior of the Lambda function that it's assigned to and permissions that have not been used from the last 90 days should be removed.

Remediation Steps:

Perform following to remove a role policy for lambda function:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to IAM console.

3. In the navigation pane,  select Roles.

4. Select the role to be modified.

5. Navigate to Permissions tab.

6. Delete the Policy granting excessive privileges.

7. Click Save changes to apply.

Important:

• There could be a case where some resources are used rarely, once in a long time, such cases can be considered an exception and only the required permissions should be added.

Reference:

• https://aws.amazon.com/blogs/security/automate-analyzing-permissions-using-iam-access-advisor/