[Lambda.1]
Lambda function policies should prohibit public access
Description
The resource-based policy of a Lambda function should prohibit access outside of your account. The Lambda function should not be publicly accessible as this may allow unintended use of your code. You must include a condition for AWS:SourceAccount in the policy to make this rule COMPLIANT.
Details
| Property | Value |
|---|---|
| Category | Protect > Secure network configuration |
| Compliance Control ID | Lambda.1 |
| FortifyFox ID | FF100014 |
| Link | Lambda.1 Compliance |
| Resource Type(s) | AWS::Lambda::Function |
| Severity | Critical |
Remediation
Use the following CloudFormation templates to deploy a Lambda function compliant with Lambda.1
YAML Template
Resources:
lambdaPermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: FUNCTION_ARN
Action: lambda:InvokeFunction
Principal: s3.amazonaws.com
SourceAccount: !Ref "AWS::AccountId"
JSON Template
{
"Resources": {
"lambdaPermission": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"FunctionName": "FUNCTION_ARN",
"Action": "lambda:InvokeFunction",
"Principal": "s3.amazonaws.com",
"SourceAccount": {
"Ref": "AWS::AccountId"
}
}
}
}
}
You will need to replace FUNCTION_ARN with the ARN of your Lambda function
📓 Notes
- You must have created a valid Lambda function
- You must have created an IAM role to execute Lambda functions with the following Managed policies:
- arn:aws:iam::aws:policy/AWSLambdaExecute
- arn:aws:iam::aws:policy/AmazonS3FullAccess
- arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
- arn:aws:iam::aws:policy/AmazonKinesisFullAccess
<br>