Lambda functions should not be configured with a privileged execution role

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

This rule ensures that none of your Lambda functions is attached to an highly-privileged execution role.

Rationale

Lambda execution roles are the recommended method to a Lambda function privileges to access the AWS API. However, a Lambda function attached to a privileged IAM role is considered risky, since an attacker compromising the function - for instance through an application-level vulnerability - can compromise your whole AWS account.

Remediation

Lambda functions typically do not require privileged IAM roles. It is recommended to reduce the permissions attached to the execution role. You can use AWS Access Advisor to identify effective permissions used by your Lambda functions, and use AWS IAM Access Analyzer to generate an IAM policy based on past CloudTrail events.