Identify any publicly accessible AWS Lambda functions and update their access policy in order to protect against unauthorized users that are sending requests to invoke these functions.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Allowing anonymous users to invoke your Amazon Lambda functions is considered bad practice and can lead to data exposure, data loss and unexpected charges on your AWS bill. To prevent any unauthorized invocation requests to your Lambda functions, restrict access only to trusted entities by implementing the appropriate permission policies.
To identify any exposed AWS lambda functions currently available within your AWS account, perform the following:
To update the access policies (also known as resource-based policies) associated with your AWS Lambda functions in order to allow function invocation only from trusted AWS entities, perform the following:Note: Managing AWS Lambda function policies using AWS Management Console is not currently supported. To add or remove permissions for your Lambda functions, you can use the available API through AWS Command Line Interface (CLI).