Open menu
-->

Lambda Functions with Admin Privileges

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that your Amazon Lambda functions do not have administrative permissions (i.e. access to all AWS actions and resources) in order to promote the Principle of Least Privilege and provide your functions the minimal amount of access required to perform their tasks.

The permissions assumed by an AWS Lambda function are determined by the IAM execution role associated with the function. With the right execution role, you can control the privileges that your Lambda function has, therefore, instead of providing administrative permissions you should grant the role the necessary permissions that your function really needs.

Audit

To identify any Lambda functions with admin privileges, available in your AWS account, perform the following

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to the Lambda dashboard at https://console.aws.amazon.com/lambda/.

03 In the navigation panel, under AWS Lambda section, choose Functions.

04 Choose the Lambda function that you want to examine then click on the function name to access its configuration page.

05 Select the Configuration tab then click Execution role to expand the panel with IAM role that defines the permissions for the selected function.

06 Copy the name of the IAM execution role currently available in the Existing role drop down list.

07 Now navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

08 In the left navigation panel, choose Roles.

09 Paste the name of the execution role copied at step no. 6 in the Search box and press Enter.

10 Click on the Amazon IAM execution role returned as the result.

11 On the IAM role configuration page, select the Permissions tab from the bottom panel.

12 Click on the attached IAM policy name available within Policy name column to access the policy document (JSON format).

13 Inside the {} JSON panel, verify the policy document defined for the selected IAM execution role. Identify Action and Resource elements and their current values. If the elements values are set to "*" and the Effect is set to "Allow", i.e.

Permission

the attached IAM policy provides access to all AWS actions and resources (i.e. admin privileges).

14 Repeat step no. 12 and 13 to verify other IAM policies attached to the selected execution role.

15 If at least one of the policies attached to the specified IAM execution role grants access to all AWS actions and resources, the role provides administrative permissions, therefore the selected Amazon Lambda function has admin privileges.

16 Repeat steps no. 4 - 15 to verify the IAM execution role permissions for other Amazon Lambda functions created within the current region.

17 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the names of all AWS Lambda functions currently available in the selected region:

aws lambda list-functions
	--region us-east-1
	--query 'Functions[*].FunctionName'

02 The command output should return an array with the requested Lambda function names:

[
    "cc-sns-publish",
    "cc-auto-remediate"
]

03 Run get-function command (OSX/Linux/UNIX) to return the Amazon Resource Name (ARN) of the IAM role that Amazon Lambda assumes when it executes the selected function to access any other AWS resources:

aws lambda get-function
	--region us-east-1
	--function-name cc-sns-publish
	--query 'Configuration.Role'

04 The command output should return the IAM execution role ARN requested:

"arn:aws:iam::123456789012:role/aws-lambda-admin-full-access"

05 Run list-role-policies command (OSX/Linux/UNIX) using your execution role name extracted from the ARN returned at the previous step as identifier and custom query filters to list the name of the policies attached to the IAM role:

aws iam list-role-policies
	--region us-east-1
	--role-name aws-lambda-admin-full-access
	--query 'PolicyNames'

06 The command output should return the name of the policies attached to the IAM role:

[
    "full-access-policy",
    "sns-custom-access-policy"
]

07 Run get-role-policy command (OSX/Linux/UNIX) using custom query filters to describe the policy document attached to the selected IAM execution role:

aws iam get-role-policy
	--role-name aws-lambda-admin-full-access
	--policy-name full-access-policy
	--query 'PolicyDocument'

08 The command output should return the role policy document currently attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Check the policy document returned by the get-role-policy command output and identify Action and Resource policy elements and their current values. If the elements values are set to "*" and the Effect is set to "Allow", as shown in the example above, the attached IAM policy provides access to all AWS actions and resources.

09 Repeat step no. 7 and 8 to verify other IAM policies attached to the selected execution role.

10 If at least one of the policies assigned to the selected IAM execution role grants access to all AWS actions and resources, the role provides administrative permissions, therefore the selected Amazon Lambda function has admin privileges.

11 Repeat steps no. 3 - 10 to verify the IAM execution role permissions for other Amazon Lambda functions available in the current region.

12 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 11 to perform the audit process for other regions.

Remediation / Resolution

To implement the Principle of Least Privilege and provide your Lambda functions with the right set of permissions instead of full administrative permissions, perform the following:

Using AWS CLI

01 Login to the AWS Management Console.

02 Navigate to Lambda dashboard at https://console.aws.amazon.com/lambda/.

03 In the navigation panel, under AWS Lambda section, choose Functions.

04 Choose the Lambda function that you want to examine then click on the function name to access its configuration page.

05 Select the Configuration tab then click Execution role to expand the panel with IAM role that defines the permissions for the selected function.

06 Inside the Execution role panel, perform one of the following actions:

  1. To apply an existing execution role, select Choose an existing role from the first dropdown list, then select the name of the existing IAM role from the second dropdown list. The chosen IAM role must adhere to the Principle of Least Privilege and provide only the access permissions required by the selected function.
  2. To apply a new execution role, built using Lambda policy templates, select Create new role from template(s) from the first dropdown list, enter a name for the IAM role within Role name box and select one or more templates from the Policy templates dropdown list.
  3. To apply a custom execution role, select Create a custom role from the dropdown list to redirect you to the AWS Lambda requires access to your resources page where you can create your own IAM execution role for the selected Lambda function. Once your new custom role is defined, click Allow to add the custom IAM role to the current function configuration.

07 Click the Save button from the dashboard top menu to update the function configuration and apply the appropriate IAM execution role.

08 Repeat steps no. 4 -7 to change the IAM execution role for other Amazon Lambda functions created in the current AWS region.

09 Change the AWS region from the navigation bar and repeat the entire process for the other regions.

Using AWS CLI

01 Run update-function-configuration command (OSX/Linux/UNIX) to change the existing IAM execution role by updating the configuration parameters for the selected Amazon Lambda function (see Audit section Section 2 to identify the right resource). You can provide only the parameters that you want to change, in this case the --role parameter, that must have as value the ARN of the IAM role that Lambda will assume when it executes the function. The execution role applied to the selected AWS Lambda function can be an existing IAM role, a new role created using Lambda policy templates or a new IAM role created using your own custom policies. The following command example applies an execution role identified by the ARN "arn:aws:iam::123456789012:role/cc-sns-publish-function-role" to an AWS Lambda function named "cc-sns-publish":

aws lambda update-function-configuration
	--region us-east-1
	--function-name "cc-sns-publish"
	--role "arn:aws:iam::123456789012:role/cc-sns-publish-function-role"

02 The command output should return the configuration metadata for the selected AWS Lambda function:

{
    "TracingConfig": {
        "Mode": "PassThrough"
    },
    "FunctionName": "cc-sns-publish",
    "VpcConfig": {
        "SubnetIds": [],
        "VpcId": "",
        "SecurityGroupIds": []
    },
    "MemorySize": 192,
    "FunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:cc-sns-publish",
    "Version": "$LATEST",
    "Role": "arn:aws:iam::123456789012:role/cc-sns-publish-function-role",
    "Timeout": 3,
    "LastModified": "2017-10-12T12:03:28.157+0000",
    "Handler": "index.handler",
    "Runtime": "nodejs6.10",
    "CodeSize": 581,
    "Description": "Custom AWS Lambda function."
}

03 Repeat step no. 1 and 2 to replace the IAM execution role for other Amazon Lambda functions created in the current AWS region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 3 to perform the remediation process for other regions.

References

Publication date Oct 14, 2017