Open menu
-->

AWS Lambda Unknown Cross Account Access

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: High (act today)

Ensure that all your Amazon Lambda functions are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account access (i.e. unknown function invocation requests). Prior to running this rule by the Cloud Conformity engine you need to provide the friendly accounts identifiers represented by a list of valid AWS account IDs (e.g. 123456789012) or AWS account ARNs (e.g. arn:aws:iam::123456789012:root). Cloud Conformity tracks AWS Lambda permission policies (also known as resource-based policies) and alerts if a function can be invoked from a foreign AWS account (unless the account has been explicitly specified within the rule settings as friendly).

Allowing unknown (untrustworthy) AWS accounts to invoke your Amazon Lambda functions can lead to data exposure, data loss and unexpected charges on your AWS monthly bill. To prevent any unauthorized invocation requests for your Lambda functions, restrict access only to trusted entities by implementing the appropriate permission policies.

Audit

To determine if there are any AWS Lambda functions that allow unknown cross account access, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Lambda dashboard at https://console.aws.amazon.com/lambda/.

03 In the navigation panel, under AWS Lambda section, choose Functions.

04 Choose the Lambda function that you want to examine then click on the function name to access its configuration page.

05 Select the Triggers tab then click View function policy to expand the panel with the policy used to manage the function invocation permissions.

06 Inside the Lambda function policy box, identify the AWS account ARN(s), e.g.

identify the AWS account ARN(s)

defined as value(s) for the Principal element.

07 Sign in to your Cloud Conformity console, access the AWS Lambda Unknown Cross Account Access conformity rule settings and compare the account identifier(s) found at the previous step (ARN(s)) against each identifier listed within the rule configuration section. If the identifier found within the function policy does not match any of the trusted account entities listed on your Cloud Conformity console, the cross account access to the selected AWS Lambda function is insecure.

08 Repeat steps no. 4 - 7 to verify the resource-based policy for other Amazon Lambda functions created within the current region for unknown cross account access entities (AWS account ARNs).

09 Change the AWS region from the navigation bar and repeat the process for the other regions.

Using AWS CLI

01 Run list-functions command (OSX/Linux/UNIX) to list the names of all AWS Lambda functions currently available in the selected region:

aws lambda list-functions
	--region us-east-1
	--query 'Functions[*].FunctionName'

02 The command output should return an array with the requested Lambda function names:

[
    "WebAppWorkerFunction",
    "MySQSPoller",
    "FetchS3ObjectMetadata"
]

03 Run get-policy command (OSX/Linux/UNIX) to return the resource-based policy associated with the selected AWS Lambda function:

aws lambda get-policy
	--region us-east-1
	--function-name WebAppWorkerFunction

04 The command output should return the Lambda function policy requested:

{
    "Version": "2012-10-17",
    "Id": "default",
    "Statement": [
        {
            "Sid": "5",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": "lambda:InvokeFunction",
            "Resource": "arn:aws:lambda:us-east-1:123456789012:function:WebAppWorkerFunction"
        }
    ]
}

05 Identify the AWS account ARN(s) defined as value(s) for the Principal element (e.g. arn:aws:iam::123456789012:root) listed in the permission policy returned at the previous step.

06 Log in to your Cloud Conformity console, access the AWS Lambda Unknown Cross Account Access conformity rule settings and compare the account identifier(s) found at the previous step (ARN(s)) against each identifier listed within the rule configuration section. If the identifier found within the function permission policy does not match any of the trusted account entities listed on your Cloud Conformity console, the cross account access to the selected Amazon Lambda resource is insecure.

07 Repeat steps no. 3 - 6 to verify the permission policy for other Amazon Lambda functions available within the current region for any unknown cross account access entities.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 7 to perform the audit process for other regions.

Remediation / Resolution

To update the resource-based policies associated with your AWS Lambda functions in order to allow function invocation only from trusted AWS accounts, perform the following:

Note: Managing AWS Lambda function policies using AWS Management Console is not currently supported. To add or remove permissions for your Lambda functions, you can use the available API through AWS Command Line Interface (CLI).

Using AWS CLI

01 First, run remove-permission command (OSX/Linux/UNIX) to remove the permission statement that allows cross account access from the resource policy associated with the selected Lambda function by providing the statement ID (which can be a number, a string or any combination of these two) given when you added the permission. The following command example removes an individual permission statement identified by the ID "5" for an AWS Lambda function named "WebAppWorkerFunction" (the command does not return an output):

aws lambda remove-permission
	--region us-east-1
	--function-name WebAppWorkerFunction
	--statement-id 5




			

02 Run add-permission command (OSX/Linux/UNIX) to add a new permission statement that allows cross account access only to friendly (trusted) AWS accounts to the resource policy associated with the selected Lambda function. The following command example adds an individual permission statement identified by the ID "6" to an Amazon Lambda function named "WebAppWorkerFunction". The trusted AWS account is provided as the value of the --principal parameter:

aws lambda add-permission
	--region us-east-1
	--function-name WebAppWorkerFunction
	--statement-id 6
	--principal 123456789012
	--action lambda:InvokeFunction

03 The command output should return the new policy statement added to the selected AWS Lambda function:

{
   "Statement": "{\"Sid\":\"6\",\"Resource\":\"arn:aws:lambda:us-east-1:198765432102:function:WebAppWorkerFunction\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"123456789012\"},\"Action\":[\"lambda:InvokeFunction\"]}"
}

04 Repeat steps no. 1 - 3 to update the resource-based policies for other Amazon Lambda functions available within the selected region.

05 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 - 4 to perform the entire remediation/resolution process for other regions.

References

Publication date Jun 12, 2017