Ensure that your Amazon Lambda functions do not have administrative permissions (i.e. access to all AWS actions and resources) in order to promote the Principle of Least Privilege and provide your functions the minimal amount of access required to perform their tasks.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
The permissions assumed by an AWS Lambda function are determined by the IAM execution role associated with the function. With the right execution role, you can control the privileges that your Lambda function has, therefore, instead of providing administrative permissions you should grant the role the necessary permissions that your function really needs.
Audit
To identify any Lambda functions with admin privileges, available in your AWS account, perform the following
Remediation / Resolution
To implement the Principle of Least Privilege and provide your Lambda functions with the right set of permissions instead of full administrative permissions, perform the following:
References
- AWS Documentation
- AWS Lambda FAQs
- AWS Lambda: How It Works
- AWS Lambda Permissions Model
- Using Resource-Based Policies for AWS Lambda (Lambda Function Policies)
- AWS Command Line Interface (CLI) Documentation
- lambda
- list-functions
- get-function
- update-function-configuration
- iam
- list-role-policies
- get-role-policy
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
Lambda Function With Admin Privileges
Risk level: Medium