Why did Security Hub trigger the finding "Lambda function policies should prohibit public access"?

Last updated: 2022-05-25

AWS Security Hub contains a finding type similar to the following:

"[Lambda.1] Lambda function policies should prohibit public access"

How can I remediate this finding type?

Short description

This control response fails if the AWS Lambda function is:

  • Publicly accessible.
  • Invoked from Amazon Simple Storage Service (Amazon S3) and the policy doesn't include a condition for AWS:SourceAccount.

Resolution

Do one of the following:

Update the policy to remove the permissions that allows public access.

-or-

Add the AWS:SourceAccount condition to the policy.

Note:

Follow the instructions to view a function's resource-based policy using the Lambda console. Depending on your use case, you can remove or update permissions for the Lambda function.

To remove permissions from the Lambda function, run the AWS CLI command remove-permission similar to the following:

$ aws lambda remove-permission --function-name <function-name> --statement-id <statement-id>

To update permissions for the Lambda function, rule the AWS CLI command add-permission similar to the following:

$ aws lambda add-permission --function <function-name> --statement-id <new-statement-id> --action lambda:InvokeFunction --principal s3.amazonaws.com --source-account <account-id> --source-arn <bucket-arn>

To verify that the permissions are removed or updated, repeat the instructions to view a function's resource-based policy using the Lambda console.

The resource-based policy should now be updated.

Note: If there was only one statement in the policy, then the policy is empty.

For more information, see AWS Foundational Security Best Practices controls.


Did this article help?


Do you need billing or technical support?