lacework-global-180
Lambda Function should not have Cross Account Access
Description
Lambda functions with cross account access can be potential security risks because they grant access to other accounts.
Remediation
Login to the AWS Management Console
Click Services
Select Lambda
On the left side, select functions.
Choose a function and click the Configuration tab.
Click Permissions.
Under Execution role - Role name, click on the role associated with the function.
Under Permissions policies, select and expand an attached policy to view in JSON format.
Identify if any Resource elements are set to the following, where <ACCOUNT_ID> does not match the current account ID:
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"
}
],
"Version": "2012-10-17"
}Edit or delete the offending policy.
Repeat steps 8-10 for each attached policy.
Edit:
Click edit on the offending policy.
Edit the permissions so the policy no longer has cross account access using either the Visual editor, or JSON tab.
Click Review policy.
Click Save changes.
Delete:
Check the box next to the offending policy.
Click Remove.
Click Delete.