Ensure that all your Amazon Lambda functions are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account access (i.e. unknown function invocation requests). Prior to running this rule by the Cloud Conformity engine you need to provide the friendly accounts identifiers represented by a list of valid AWS account IDs (e.g. 123456789012) or AWS account ARNs (e.g. arn:aws:iam::123456789012:root). Cloud Conformity tracks AWS Lambda permission policies (also known as resource-based policies) and alerts if a function can be invoked from a foreign AWS account (unless the account has been explicitly specified within the rule settings as friendly).
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Allowing unknown (untrustworthy) AWS accounts to invoke your Amazon Lambda functions can lead to data exposure, data loss and unexpected charges on your AWS monthly bill. To prevent any unauthorized invocation requests for your Lambda functions, restrict access only to trusted entities by implementing the appropriate permission policies.
To determine if there are any AWS Lambda functions that allow unknown cross account access, perform the following:
To update the resource-based policies associated with your AWS Lambda functions in order to allow function invocation only from trusted AWS accounts, perform the following:Note: Managing AWS Lambda function policies using AWS Management Console is not currently supported. To add or remove permissions for your Lambda functions, you can use the available API through AWS Command Line Interface (CLI).