AWS-Lambda-Resource-Based-Policy-Public

Severity : Critical

Description: This control ensures that Lambda function is not exposed publicly using wildcard in the Principal element of access policy. Public access allows unauthorized users that are sending request to invoke these functions. Security best practice Access to Lambda functions should be restricted and should be granted to only authorized users.

Remediation Steps:

Perform following to remove anonymous access from lambda function:

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to AWS Lambda console.

3. In the navigation pane,  select Functions.

4. Select the function to be modified.

5. Select Configuration and in navigation pan, Select  Permissions.

6. Under Resource-based policy, Select Policy statements, Select Edit.

7. In Principal statement contains wildcard(*), add a Condition statement in access policy to limit the access to lambda function.

8. Click Save to apply changes.

Important:

• Restricting the access policy for function exposure may limit who can trigger the function. Reconfiguration may be required to invoke the function.

Reference:

• https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html

• https://aws.amazon.com/blogs/compute/easy-authorization-of-aws-lambda-functions

• https://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html