Why did Security Hub initiate the finding "Lambda function policies should prohibit public access"?

2 minute read
0

AWS Security Hub returned a control check response for an AWS Lambda function.

Short description

Security Hub contains a finding type similar to the following one:

"[Lambda.1] Lambda function policies should prohibit public access"

This control response fails for the following reasons:

  • The Lambda function is publicly accessible.
  • You invoke the Lambda function from Amazon Simple Storage Service (Amazon S3), and the policy doesn't include a condition for AWS:SourceAccount.

Resolution

To resolve this issue, either update the policy to remove the permissions that allows public access, or add the AWS:SourceAccount condition to the policy.

Note:

Use the Lambda console to view a function's resource-based policy. Depending on your use case, you can remove or update permissions for the Lambda function.

To remove permissions from the Lambda function, run the AWS CLI command remove-permission similar to the following:

$ aws lambda remove-permission --function-name <function-name> --statement-id <statement-id>

To update permissions for the Lambda function, rule the AWS CLI command add-permission similar to the following:

$ aws lambda add-permission --function <function-name> --statement-id <new-statement-id> --action lambda:InvokeFunction --principal s3.amazonaws.com --source-account <account-id> --source-arn <bucket-arn>

To verify that the permissions are removed or updated, repeat the instructions to view a function's resource-based policy.

Note: If there's only one statement in the policy, then the policy is empty.

For more information, see Security Hub controls reference.

Related information

lambda-function-public-access-prohibited

How can I use Security Hub to monitor security issues for my AWS environment?

AWS OFFICIAL
AWS OFFICIALUpdated a year ago
2 Comments

This post doesn't answer the question of why having a Lambda public is a security vulnerability. If I host the exact same code in an EC2 instance or an ECS cluster with no authentication, Config does not raise a Security Hub finding. What is uniquely vulnerable about putting code in a Lambda that makes it a CRITICAL Security Hub finding if it is accessible to the public?

replied 4 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 4 months ago