Securing AWS Lambda Functions: Preventing Public Access with Terragrunt and Manual Procedures

Securing AWS Lambda Functions: Preventing Public Access with Terragrunt and Manual Procedures

Introduction:-

Lambda function policies in #AWS IAM are used to control access to Lambda functions. Prohibiting public access to Lambda functions is an important security measure that helps prevent unauthorized access and potential data breaches.

Issues: This control checks whether the #AWS Lambda function policy attached to the Lambda resource prohibits public access. If the Lambda function policy allows public access, the control fails.

General step to follow: Create one folder name it as iam,using the same folder create one file and name it as terragrunt.hcl and paste the below code into that.As u can refer the below terraform module

Terraform Registry
registry.terraform.io

This is an example reference add the all necessary things into the code.

# terragrunt.hcl

terraform {
  source = "terraform-aws-modules/iam/aws"
}
include {
  path = find_in_parent_folders()
}
inputs = {
  name             = "lambda-function-policy"
  policy           = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid = "DenyPublicAccess"
        Effect = "Deny"
        Principal = "*"
        Action = [
          "lambda:GetFunction",
          "lambda:InvokeFunction"
        ]
        Resource = [
          "arn:aws:lambda:<region>:<account-id>:function:<function-name>",
          "arn:aws:lambda:<region>:<account-id>:function:<function-name>:*"
        ]
        Condition = {
          "StringNotEquals" : {
            "aws:sourceVpc" : "<vpc-id>"
          }
        }
      }
    ]
  })
}

After paste this code in the file. Just save and open the terminal enter the first command terragruntinit for Initializing and after Initialization, enter the second command terragruntplan when the plan executed successfully ,enter the third command terragruntapply after apply configuration would be done in your aws lambda console.

Follow the step to setup the lambda function with manually:

To view the resource-based policy for a Lambda function:

  1. Open the #AWS Lambda console at https://console.aws.amazon.com/lambda/.

  2. In the navigation plane, choose Functions.

  3. Choose the function.

  4. Choose Permissions. The resource-based policy shows the permissions that are applied when another account or #AWS service attempts to access the function.

  5. Examine the resource-based policy. Identify the policy statement that has Principal field values that make the policy public. For example, allowing "*" or { "AWS": "*" }.

  6. You cannot edit the policy from the console. To remove permissions from the function, you use the remove-permission command from the AWS CLI.

Note the value of the statement ID (Sid) for the statement that you want to remove.

To verify that the permissions are updated:

  1. Open the AWS Lambda console at https://console.aws.amazon.com/lambda/.

  2. In the navigation pane, choose Functions.

  3. Choose the function that you updated.

  4. Choose Permissions.

  5. The resource-based policy should be updated. If there was only one statement in the policy, then the policy is empty.

Conclusion:-

Enforcing a policy that prohibits public access to #Lambda functions in AWS IAM is an effective way to improve the security of your #AWS infrastructure. This policy helps prevent unauthorized access to sensitive data and mitigates the risk of data breaches.