Ensure that all your Amazon Lambda functions are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross-account access. Before running this rule by the Trend Micro Cloud One™ – Conformity engine, the list with the trusted AWS account identifiers must be configured in the rule settings, on your Conformity account console. Conformity tracks Amazon Lambda permission policies (also known as resource-based policies) and alerts if a function can be invoked from a foreign AWS cloud account (unless the account has been explicitly specified within the rule settings as a trusted account).
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Allowing unknown (unauthorized) AWS accounts to invoke your Amazon Lambda functions can lead to data exposure, data loss, and unexpected charges on your AWS monthly bill. To prevent any unauthorized invocation requests for your Lambda functions, restrict access only to trusted entities by implementing the appropriate permissions policies.
To determine if there are any Amazon Lambda functions that allow unknown cross-account access in your AWS account, perform the following actions:
Remediation / Resolution
To update the resource-based policies associated with your Amazon Lambda functions in order to allow function invocation from trusted AWS accounts only, perform the following actions:
- AWS Documentation
- Getting started with Lambda
- Using resource-based policies for AWS Lambda
- Using AWS Lambda with Amazon SNS
- AWS Command Line Interface (CLI) Documentation
- AWS Blog(s)
- Easy Authorization of AWS Lambda Functions
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Unknown Cross-Account Access
Risk level: High