Stay up to date with the latest from the Knowledge Center. See all new and updated Knowledge Center articles published in the last month and re:Post’s top contributors.
Why did Security Hub initiate the finding "Lambda function policies should prohibit public access"?
AWS Security Hub returned a control check response for an AWS Lambda function.
Short description
Security Hub contains a finding type similar to the following one:
"[Lambda.1] Lambda function policies should prohibit public access"
This control response fails for the following reasons:
- The Lambda function is publicly accessible.
- You invoke the Lambda function from Amazon Simple Storage Service (Amazon S3), and the policy doesn't include a condition for AWS:SourceAccount.
Resolution
To resolve this issue, either update the policy to remove the permissions that allows public access, or add the AWS:SourceAccount condition to the policy.
Note:
- To update the resource-based policy, you must use the AWS Command Line Interface (AWS CLI).
- If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.
Use the Lambda console to view a function's resource-based policy. Depending on your use case, you can remove or update permissions for the Lambda function.
To remove permissions from the Lambda function, run the AWS CLI command remove-permission similar to the following:
$ aws lambda remove-permission --function-name <function-name> --statement-id <statement-id>
To update permissions for the Lambda function, rule the AWS CLI command add-permission similar to the following:
$ aws lambda add-permission --function <function-name> --statement-id <new-statement-id> --action lambda:InvokeFunction --principal s3.amazonaws.com --source-account <account-id> --source-arn <bucket-arn>
To verify that the permissions are removed or updated, repeat the instructions to view a function's resource-based policy.
Note: If there's only one statement in the policy, then the policy is empty.
For more information, see Security Hub controls reference.
Related information
lambda-function-public-access-prohibited
How can I use Security Hub to monitor security issues for my AWS environment?
This post doesn't answer the question of why having a Lambda public is a security vulnerability. If I host the exact same code in an EC2 instance or an ECS cluster with no authentication, Config does not raise a Security Hub finding. What is uniquely vulnerable about putting code in a Lambda that makes it a CRITICAL Security Hub finding if it is accessible to the public?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 2 years ago
- asked 3 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 3 years ago
