By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Confusion with AWS config rule "lambda-function-public-access-prohibited"

0

Hi AWS community,

if my understanding is correct, the documentation would be lacking and the rule logic may not be enough to detect lambda functions which are public.

Documentation: What misconfigurations can this rule actually test for? The security hub documentation mentions that it checks for AWS:SourceAccount (not source ARN) in the condition when used in combination with S3. The config rule documentation has no mention of that.

Possible lacking coverage: A case where I know that the rule is not sufficient to check if lambda functions are public is when API Gateway is used in the policy. Example policy:

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "apigateway.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:my-region:123456789012:function:my-function"
    }
  ]
}

As far as I know, API Gateway and probably other services (in addition to S3) allow cross account access to lambda. Shouldn't the recommendation need to be: if the service principal is set; fail when AWS:SourceAccount nor AWS:SourceArn are present in the condition? Or is there a reason why it only needs to be checked for service=s3?

Regards, Justus

Topics
Management & GovernanceAWS Well-Architected Framework
Tags
AWS ConfigSecurity
Language
English
Justus
asked 3 months ago87 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content