Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Confusion with AWS config rule "lambda-function-public-access-prohibited"

0

Hi AWS community,

if my understanding is correct, the documentation would be lacking and the rule logic may not be enough to detect lambda functions which are public.

Documentation: What misconfigurations can this rule actually test for? The security hub documentation mentions that it checks for AWS:SourceAccount (not source ARN) in the condition when used in combination with S3. The config rule documentation has no mention of that.

Possible lacking coverage: A case where I know that the rule is not sufficient to check if lambda functions are public is when API Gateway is used in the policy. Example policy:

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:my-region:123456789012:function:my-function"
    }
  ]
}

As far as I know, API Gateway and probably other services (in addition to S3) allow cross account access to lambda. Shouldn't the recommendation need to be: if the service principal is set; fail when AWS:SourceAccount nor AWS:SourceArn are present in the condition? Or is there a reason why it only needs to be checked for service=s3?

Regards, Justus

Themen
Management & UnternehmensführungAWS Framework mit guter Struktur
Tags
AWS ConfigSicherheit
Sprache
English
Justus
gefragt vor 3 Monaten92 Aufrufe
Keine Antworten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt