Skip to main content

lacework-global-180

Lambda Function should not have Cross Account Access

Description

Lambda functions with cross account access can be potential security risks because they grant access to other accounts.

Remediation

  1. Login to the AWS Management Console

  2. Click Services

  3. Select Lambda

  4. On the left side, select functions.

  5. Choose a function and click the Configuration tab.

  6. Click Permissions.

  7. Under Execution role - Role name, click on the role associated with the function.

  8. Under Permissions policies, select and expand an attached policy to view in JSON format.

  9. Identify if any Resource elements are set to the following, where <ACCOUNT_ID> does not match the current account ID:

    {

    "Statement": [

    {

    "Action": "sts:AssumeRole",

    "Effect": "Allow",

    "Resource": "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"

    }

    ],

    "Version": "2012-10-17"

    }
  10. Edit or delete the offending policy.

  11. Repeat steps 8-10 for each attached policy.

Edit:

  1. Click edit on the offending policy.

  2. Edit the permissions so the policy no longer has cross account access using either the Visual editor, or JSON tab.

  3. Click Review policy.

  4. Click Save changes.

Delete:

  1. Check the box next to the offending policy.

  2. Click Remove.

  3. Click Delete.