Why did Security Hub trigger the finding "Lambda function policies should prohibit public access"?

Short description

This control response fails if the AWS Lambda function is:

• Publicly accessible.
• Invoked from Amazon Simple Storage Service (Amazon S3) and the policy doesn't include a condition for AWS:SourceAccount.

Resolution

Do one of the following:

Update the policy to remove the permissions that allows public access.

-or-

Add the AWS:SourceAccount condition to the policy.

Note:

• To update the resource-based policy, you must use the AWS Command Line Interface (AWS CLI).
• If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

Follow the instructions to view a function's resource-based policy using the Lambda console. Depending on your use case, you can remove or update permissions for the Lambda function.

To remove permissions from the Lambda function, run the AWS CLI command remove-permission similar to the following:

$ aws lambda remove-permission --function-name <function-name> --statement-id <statement-id>

To update permissions for the Lambda function, rule the AWS CLI command add-permission similar to the following:

$ aws lambda add-permission --function <function-name> --statement-id <new-statement-id> --action lambda:InvokeFunction --principal s3.amazonaws.com --source-account <account-id> --source-arn <bucket-arn>

To verify that the permissions are removed or updated, repeat the instructions to view a function's resource-based policy using the Lambda console.

The resource-based policy should now be updated.

Note: If there was only one statement in the policy, then the policy is empty.

For more information, see AWS Foundational Security Best Practices controls.

Related information

lambda-function-public-access-prohibited