AWS_Lambda_2
Identify any publicly accessible AWS Lambda functions and update their access policy in order to protect against unauthorized users that are sending requests to invoke these functions.
Using AWS CLI:
1. First, run remove-permission command (OSX/Linux/UNIX) to remove the permission statement that allows anonymous access from the resource policy associated with the selected Lambda function by providing the statement ID given when you added the permission.
Eg: aws lambda remove-permission --region us-east-1 --function-name TestFunction --statement-id lc-25aa93f6-3e17-4f0f-864c-b292e262d137
2. Run add-permission command (OSX/Linux/UNIX) to add a new permission statement that allows invocation access only to a specified (trusted) AWS account to the resource policy associated with the selected Lambda function. The trusted AWS account is provided as the value of the --principalparameter. The --principal parameter can also hold the AWS S3 service principal (i.e. s3.amazonaws.com) if you want Amazon S3 to invoke the selected function or any valid AWS service principal such as sns.amazonaws.com.
Eg:aws lambda add-permission --region us-east-1 --function-name TestFunction --statement-id lc-70fe33f5-de44-4f0e-9a4c-c382e262d221 --principal 123456789012 --action lambda:InvokeFunction
3. The command output should return the new policy statement added to the selected AWS Lambda function:
{ Statement": "{"Sid"":""lc-70fe33f5-de44-4f0e-9a4c-c382e262d221"" 
Want to Know More?
Learn how our partners are managing their cloud security and compliance with Cloudlytics.
I hereby accept the GDPR and Privacy Policy, by subscribing to the newsletters.
