Lambda Admin Privileges

This plugin ensures that no Lambda function in your Amazon Web Services account has administrative capabilities.

Risk Level: High

Description:

This plugin ensures that no Lambda function in your Amazon Web Services account has administrative capabilities. For Lambda security best practices, the AWS Lambda Function should have the highest restrictive IAM permissions.

Recommended Action:  Modify IAM role attached with Lambda function to provide the minimal amount of access required to perform its tasks

About the Service:

AWS Lambda is a serverless compute service that allows you to run code without having to provision or manage servers, create workload-aware cluster scaling logic, keep event integrations up to date, or manage runtimes. You can use Lambda to run code for almost any form of application or backend service, and you don't have to worry about managing it. Simply upload your code as a ZIP file or container image, and Lambda will automatically and precisely assign compute execution power and run your code in response to incoming requests or events, at any scale.

Impact: 

AWS Lambda functions must not have administrative privileges as it can lead to misuse of administrative power by any user using the function’s service, thus these functions must be provided the minimal amount of access to perform their tasks.

Steps to reproduce :

  1. Sign in to your AWS console.
  2. Navigate to the Lambda dashboard at:  https://console.aws.amazon.com/lambda/
  3.  Select the Function you want to examine and visit its configuration page.
  4. Select Configuration tab, under Execution role, sees the expanded panel of IAM roles that defines the permissions for the chosen function.
  5. Select Roles, in the left navigation panel.
  6. Check the Existing Role dropdown list and copy the IAM execution role.
  7. Now navigate to the IAM dashboard and select Roles in the left navigation panel.
  8. Paste the name of the IAM execution role copied in step 6 in the search bar ad click on the role that pops up.
  9. Select the Permission tab from the bottom panel.
  10. Click on the attached IAM Policy name available in the Policy name column.
  11. In the {}jSON panel, verify the policy document. Identify the values of the Action and Resource element. If their values are set to “ * ” and the Effect is set to “ Allow ”, then the attached policy has Administrative privileges.

 

Steps for remediation :

  1. Sign in to your AWS console.
  2. Navigate to the Lambda dashboard at:  https://console.aws.amazon.com/lambda/ 
  3. Select the Function you want to examine and visit its configuration page.
  4. Select Configuration tab, select Execution role and see the expanded panel of IAM roles that defines the permissions for the chosen function.
  5. In the Execution role panel, perform one of the following  steps:
  • Select Choose an existing role from the first selection list, then select the name of the existing IAM role from the second dropdown list to apply for an existing execution role. The chosen IAM role must follow the Principle of Least Privilege and only grant access permissions that are required by the selected function.
  • Select Create new role from template(s) from the first dropdown list, input a name for the IAM role in the Role name box, and select one or more templates from the Policy templates dropdown list to apply a new execution role constructed using Lambda policy templates.
  • Select Create a custom role from the dropdown list to be redirected to the AWS Lambda requires access to your resources page, where you may create your own IAM execution role for the Lambda function you've chosen. After you've defined your new custom role, click Allow to add it to the current function configuration.

 

References: