Why did Security Hub trigger the finding "Lambda function policies should prohibit public access"?
Last updated: 2022-05-25
AWS Security Hub contains a finding type similar to the following:
How can I remediate this finding type?
This control response fails if the AWS Lambda function is:
- Publicly accessible.
- Invoked from Amazon Simple Storage Service (Amazon S3) and the policy doesn't include a condition for AWS:SourceAccount.
Do one of the following:
Update the policy to remove the permissions that allows public access.
Add the AWS:SourceAccount condition to the policy.
- To update the resource-based policy, you must use the AWS Command Line Interface (AWS CLI).
- If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.
To remove permissions from the Lambda function, run the AWS CLI command remove-permission similar to the following:
$ aws lambda remove-permission --function-name <function-name> --statement-id <statement-id>
To update permissions for the Lambda function, rule the AWS CLI command add-permission similar to the following:
$ aws lambda add-permission --function <function-name> --statement-id <new-statement-id> --action lambda:InvokeFunction --principal s3.amazonaws.com --source-account <account-id> --source-arn <bucket-arn>
The resource-based policy should now be updated.
Note: If there was only one statement in the policy, then the policy is empty.
For more information, see AWS Foundational Security Best Practices controls.