Publicly accessible Lambda function with a critical vulnerability uses a privileged IAM role

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

A misconfigured Lambda execution role contains risky privileges. A privileged IAM role attached to a Lambda function can lead to an AWS account compromise if the underlying function code has an application-level vulnerability or can be modified by the attacker. This Lambda function is publicly accessible, making it easier for attackers to exploit the function.

Remediation

  1. Reduce the permissions attached to the Lambda execution role using the concept of least-privileged access. You can use AWS Access Advisor.
  2. Once you identify effective permissions used by your Lambda function, use AWS IAM Access Analyzer to generate an IAM policy based on past CloudTrail events.
  3. Prioritize and apply security patches or updates to address the identified vulnerabilities. If patches are not available, consider implementing alternative security measures.
  4. Evaluate the need for public accessibility of the Lambda function. If unnecessary, modify the function’s access settings to restrict public access.