Lambda function uses a privileged IAM role



A misconfigured Lambda execution role contains risky privileges. A privileged IAM role attached to a Lambda function can lead to an AWS account compromise if the underlying function code has an application-level vulnerability or can be modified by the attacker.


  1. Reduce the permissions attached to the Lambda execution role using the concept of least-privileged access. You can use AWS Access Advisor.
  2. Once you identify effective permissions used by your Lambda function, use AWS IAM Access Analyzer to generate an IAM policy based on past CloudTrail events.
  3. Redeploy the role to the Lambda Function.