Rule: Lambda Function Policies Should Prohibit Public Access

This rule ensures Lambda functions have secure policies against public access.

Rule	Lambda function policies should prohibit public access
Framework	AWS Foundational Security Best Practices
Severity	✔ Critical

Policy Description:

The policy for Lambda functions should prohibit public access to ensure compliance with AWS Foundational Security Best Practices. This policy helps protect sensitive data and prevents unauthorized access to your Lambda functions.

Policy Details:

To enforce this policy, you need to configure the necessary permissions and settings for your Lambda functions. Here are the steps to follow:

1. Disable Public Access:

a. Open the AWS Management Console and navigate to the Lambda service. b. Select the Lambda function for which you want to disable public access. c. In the function settings, locate the "Permissions" tab. d. Under the "Network settings" section, ensure that the "Public access" option is disabled.

2. Implement VPCs and Private Subnets:

a. Establish a Virtual Private Cloud (VPC) to isolate your Lambda functions. b. Create one or more private subnets within the VPC. c. Configure your Lambda functions to use the private subnets for execution. d. Ensure that the necessary VPC and subnet configurations are correctly set for your Lambda functions.

3. Restrict IAM Policies:

a. Review the existing IAM policies related to Lambda functions. b. Ensure that the IAM policies do not grant excessive permissions or allow public access. c. Remove any unnecessary IAM policies or permissions that could potentially expose your Lambda functions to the public.

4. Enable Resource-Specific Permissions:

a. Configure resource-specific permissions to restrict access to individual Lambda functions. b. Define appropriate IAM roles and policies to control access based on specific functions or resource ARNs. c. Implement least privilege principles and grant permissions only to the necessary individuals or services.

Troubleshooting Steps:

If you encounter any issues or unintended public access to your Lambda functions despite following the policy guidelines, consider the following troubleshooting steps:

1.
Verify Function Settings:
- Double-check the function settings to ensure that public access is disabled.
- Confirm that the Lambda function is associated with the correct VPC and private subnet.

2.
Check Lambda Execution Role:
- Ensure that the IAM role associated with the Lambda function does not have overly permissive permissions.
- Review the policy attached to the role and modify it accordingly.

3.
Test Network Connectivity:
- Validate the network configuration by testing if the Lambda function can successfully access any required resources within the private subnet.

4.
Review VPC and Subnet Configuration:
- Verify the VPC and subnet settings to ensure they are correctly configured and assigned to the Lambda function.

5.
Audit IAM Policies:
- Perform an audit of the existing IAM policies and their attached permissions.
- Identify and remove any policies that grant public access or have unnecessary permissions.

Example Policy Code:

Here is an example IAM policy code snippet that can be attached to your Lambda function's execution role. Modify the resource ARN and other attributes according to your specific requirements:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": "arn:aws:lambda:region:account-id:function:function-name",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "0.0.0.0/0"
                    ]
                }
            }
        }
    ]
}

Note: The example policy code denies invocation of the Lambda function from any IP address (0.0.0.0/0). Modify the

region

account-id

, and

function-name

parameters to match your specific setup.

Remediation Steps:

If your Lambda function does not comply with the policy and public access is enabled, follow these steps to remediate the issue:

1.
Open the AWS Management Console and navigate to the Lambda service.

2.
Select the Lambda function that violates the policy.

3.
In the function settings, go to the "Permissions" tab.

4.
Under the "Network settings" section, disable the "Public access" option.

5.
Ensure the necessary VPC and subnet configurations are correct.

6.
Review and update the associated IAM policies if needed.

7.
Test the Lambda function to ensure it no longer allows public access.

By following these steps, you can ensure that your Lambda functions adhere to the policy and prevent unauthorized public access, enhancing the security of your AWS environment.

Rule: Lambda Function Policies Should Prohibit Public Access

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}1. Disable Public Access:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}2. Implement VPCs and Private Subnets:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}3. Restrict IAM Policies:

.css-doq6ia{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#161857;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}4. Enable Resource-Specific Permissions:

Is your System Free of Underlying Vulnerabilities? Find Out Now

1. Disable Public Access:

2. Implement VPCs and Private Subnets:

3. Restrict IAM Policies:

4. Enable Resource-Specific Permissions:

Is your System Free of Underlying Vulnerabilities?
Find Out Now