v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 4.10 Ensure Lambda functions do not allow unknown cross account access via permission policies

Description

Ensure that all your Amazon Lambda functions are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross-account access.

Allowing unknown (unauthorized) AWS accounts to invoke your Amazon Lambda functions can lead to data exposure and data loss. To prevent any unauthorized invocation requests for your Lambda functions, restrict access only to trusted AWS accounts.

Remediation

From the Console:

  1. Login to the AWS Console using https://console.aws.amazon.com/lambda/.
  2. In the left column, under AWS Lambda, click Functions.
  3. Under Function name click on the name of the function that you want to review.
  4. Click the Configuration tab.
  5. In the left column, click Permissions.
  6. In the Resource-based policy statements section, select the policy statement that allows the unknown AWS Account cross-account access.
  7. Click Edit.
  8. On the Edit permissions page, replace or remove the AWS Account(s) ARN of the unauthorized principal in the Principal box.
  9. Click Save.
  10. Repeat steps for each Lambda function that failed the Audit.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_compute_service_v100_4_10

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_compute_service_v100_4_10 --share

SQL

This control uses a named query:

manual_control

Tags

category = Compliance
cis = true
cis_item_id = 4.10
cis_level = 1
cis_section_id = 4
cis_type = manual
cis_version = v1.0.0
plugin = aws
service = AWS/Lambda