Identify any publicly accessible Amazon Lambda functions and update their access policy in order to protect against unauthorized users that are sending requests to invoke these functions.
This rule can help you with the following compliance standards:
- PCI
- GDPR
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Allowing anonymous users to invoke your Amazon Lambda functions is considered a bad practice and can lead to data exposure, data loss, and unexpected charges on your AWS bill. To prevent any unauthorized invocation requests to your Lambda functions, restrict access only to trusted entities by implementing the appropriate permissions policies.
Audit
To identify any exposed Amazon Lambda functions currently available within your AWS cloud account, perform the following operations:
Remediation / Resolution
To update the resource-based policies associated with your Amazon Lambda functions in order to allow function invocation only from trusted entities, perform the following operations:
References
- AWS Documentation
- AWS Lambda FAQs
- Getting started with Lambda
- Using resource-based policies for Lambda
- AWS Command Line Interface (CLI) Documentation
- lambda
- list-functions
- get-policy
- add-permission
- remove-permission
- AWS Blog(s)
- Easy Authorization of AWS Lambda Functions
- CloudFormation Documentation
- AWS Lambda resource type reference
- Terraform Documentation
- AWS Provider
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Function Exposed
Risk Level: High