Ensure Lambda Function is not exposed to everyone


Identify any publicly accessible AWS Lambda functions and update their access policy in order to protect against unauthorized users that are sending requests to invoke these functions.


Using AWS CLI:

1. First, run remove-permission command (OSX/Linux/UNIX) to remove the permission statement that allows anonymous access from the resource policy associated with the selected Lambda function by providing the statement ID given when you added the permission. 

Eg: aws lambda remove-permission --region us-east-1 --function-name TestFunction --statement-id lc-25aa93f6-3e17-4f0f-864c-b292e262d137

2. Run add-permission command (OSX/Linux/UNIX) to add a new permission statement that allows invocation access only to a specified (trusted) AWS account to the resource policy associated with the selected Lambda function. The trusted AWS account is provided as the value of the --principalparameter. The --principal parameter can also hold the AWS S3 service principal (i.e. if you want Amazon S3 to invoke the selected function or any valid AWS service principal such as
Eg:aws lambda add-permission --region us-east-1 --function-name TestFunction --statement-id lc-70fe33f5-de44-4f0e-9a4c-c382e262d221 --principal 123456789012 --action lambda:InvokeFunction

3. The command output should return the new policy statement added to the selected AWS Lambda function:
 { Statement": "{"Sid"":""lc-70fe33f5-de44-4f0e-9a4c-c382e262d221""						







We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!