AWS Lambda Using Administrative Privileges

Description:

AWS Lambda allows you to run code without provisioning servers. If a Lambda function has administrative privileges, it implies the associated IAM role has permissions similar to the AdministratorAccess policy or its equivalent. This expansive permission increases risks due to potential malicious actions or inadvertent modifications impacting resources across the AWS account.

Remediation:

1. Restrict Lambda Permissions:

AWS Management Console:
  • Navigate to the Lambda service in the AWS Console.
  • Choose the Lambda function in question.
  • Under the Configuration tab, look for the Execution role section.
  • Click on the associated role's name. This will redirect you to the IAM console.
  • Review attached policies. If the AdministratorAccess policy or any overly permissive policy is attached, detach it.
  • Attach a more restrictive policy that aligns closely with the function's specific requirements.
AWS CLI:
# Retrieve role associated with the Lambda function
aws lambda get-function-configuration --function-name YOUR_LAMBDA_FUNCTION_NAME

# List attached policies for the role
aws iam list-attached-role-policies --role-name YOUR_ROLE_NAME_FROM_PREVIOUS_OUTPUT

# Detach overly permissive policies
aws iam detach-role-policy --role-name YOUR_ROLE_NAME --policy-arn ARN_OF_THE_POLICY_TO_DETACH

# Attach a more restrictive policy
aws iam attach-role-policy --role-name YOUR_ROLE_NAME --policy-arn ARN_OF_THE_RESTRICTED_POLICY
Terraform:

For existing infrastructure, you can import the role into your Terraform state and modify accordingly. For new setups or if you're adjusting the existing configuration:

resource "aws_lambda_function" "example" {
  # ... other Lambda configurations ...

  role = aws_iam_role.example.arn
}

resource "aws_iam_role" "example" {
  # ... IAM role configurations ...
}

resource "aws_iam_role_policy_attachment" "example" {
  role       = aws_iam_role.example.name
  policy_arn = "arn:aws:iam::aws:policy/YourRestrictivePolicy"  # replace with your restrictive policy ARN
}

Ensure you've defined the restrictive policy (YourRestrictivePolicy) either in AWS or Terraform, and attach only the permissions necessary for the Lambda function.

Recommendation:

Adhere to the principle of least privilege when defining permissions. For Lambda:

  1. Start with minimum permissions.
  2. Gradually add only those required for the function's operation.
  3. Audit IAM roles and permissions regularly.
  4. For critical or high-risk functions, consider integrating monitoring and alert mechanisms, such as AWS CloudWatch, to detect anomalous behavior.

Updated 5 months ago