AWS Lambda Function is Not Publicly Exposed

Description:

AWS Lambda functions by default are not exposed directly to the public internet. However, when integrated with services like Amazon API Gateway or Application Load Balancer, they can be publicly accessible. Public exposure without appropriate security measures can lead to a range of threats, including unauthorized access, data breaches, and potential misuse of the function. It is crucial to ensure that any exposure of a Lambda function is intentional and adequately secured.

Remediation:

1. Verify and Restrict Public Exposure:

AWS Management Console:
  • Navigate to the Lambda service in the AWS Console.
  • Choose the Lambda function you want to check.
  • Under the Configuration tab, look for the Triggers section to see what AWS services or resources are invoking your function.
  • If the function is triggered by an API Gateway or Application Load Balancer:
    • Navigate to the respective service in the AWS Console.
    • Review the associated resource policies, security groups, and access controls.
    • Ensure that there are appropriate authentication and authorization mechanisms in place. If public exposure is unintentional, consider removing the trigger or tightening access controls.
AWS CLI:

To list the event source mappings (triggers) for a Lambda function:

aws lambda list-event-source-mappings --function-name YOUR_LAMBDA_FUNCTION_NAME

Examine the returned sources and, if necessary, modify or delete inappropriate or insecure mappings using the AWS CLI commands for the respective services (like API Gateway or Application Load Balancer).

Terraform:

In your Terraform configurations, check for any integrations between the Lambda function and potential exposure points like API Gateway or Application Load Balancer.

If identified, ensure appropriate access controls are set in the configuration:

resource "aws_lambda_function" "example" {
  # ... other Lambda configurations ...
}

resource "aws_api_gateway_rest_api" "example" {
  # Ensure proper authorization, authentication, and resource policies are applied
  # ... other API Gateway configurations ...
}

Recommendation:

Ensure that Lambda functions are not unintentionally exposed to the public. When a public exposure is required, always use robust authentication and authorization mechanisms, such as API keys, IAM policies, or third-party solutions. Regularly review your Lambda triggers and associated services to detect and rectify any unintended exposures. Consider using tools like AWS Config or third-party security solutions to automatically detect and notify you of such exposures.

Updated 5 months ago