AWS Lambda Exposed to the Public

Description:

AWS Lambda is a serverless computing service that lets you run code without provisioning or managing servers. When an AWS Lambda function is exposed to the public, it usually implies that the function is accessible via an endpoint, typically through Amazon API Gateway. Making a Lambda function directly accessible from the public without any controls can expose your application to a wider range of threats, including unauthorized access and potential attacks.

Remediation:

1. Protect AWS Lambda Exposed to the Public:

AWS Management Console:
  • Navigate to the API Gateway service in the AWS Console.
  • Choose the API that is connected to your Lambda function.
  • In the navigation pane, choose Resource Policy.
  • Add policies that limit access based on source IP, user agent, AWS IAM roles, or other attributes to ensure only authorized entities can invoke the API.
  • Ensure to also add API keys, rate limiting, and other security controls available within API Gateway to further protect your endpoint.
Terraform:

To protect an AWS Lambda function exposed via API Gateway using Terraform, you can use the following snippet:

resource "aws_api_gateway_rest_api" "my_api" {
  # ... other API configurations ...

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "execute-api:Invoke",
      "Resource": "arn:aws:execute-api:region:account-id:api-id/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": ["disallowed-ip-address"]
        }
      }
    }
  ]
}
EOF
}

resource "aws_lambda_function" "my_function" {
  # ... Lambda configurations ...
}

resource "aws_api_gateway_integration" "lambda" {
  # ... Integration configurations ...
}

Replace disallowed-ip-address with IPs or CIDR blocks you want to deny access. Adjust the policy according to your specific needs.

Recommendation:

Always ensure that AWS Lambda functions exposed to the public are protected with adequate security measures. It's essential to combine multiple layers of security controls, such as resource policies, authentication mechanisms, rate limiting, and monitoring, to effectively mitigate potential risks. Regularly review the access patterns to your public endpoints and consider utilizing AWS WAF for an added layer of security against web threats.

Updated 8 months ago