Skip to main content

lacework-global-179

Lambda Function should not have Admin Privileges

Description

Lambda functions assume an execution role, which grants permissions to the function. Like IAM users, Lambda functions should be managed using the principle of least access.

Remediation

  1. Login to the AWS Management Console.

  2. Click Services.

  3. Select Lambda.

  4. On the left side, select functions.

  5. Choose a function and click the Configuration tab.

  6. Click Permissions.

  7. Under Execution role - Role name, click on the role associated with the function.

  8. Under Permissions policies, select and expand an attached policy to view in JSON format.

  9. Locate policies with statements that have Resource and Action elements set to '*' and Effect set to 'Allow'.

  10. Edit or delete the offending policy.

  11. Repeat steps 8-10 for each attached policy.

Edit:

  1. Click edit on the offending policy.

  2. Edit the permissions so the policy no longer has admin privileges using either the Visual editor, or JSON tab.

  3. Click Review policy.

  4. Click Save changes.

Delete:

  1. Check the box next to the offending policy.

  2. Click Remove.

  3. Click Delete.