Skip to main content

Lambda Invocation Lockdown to Prevent Misconfiguration

Overview

This AWS Service Control Policy (SCP) is designed to prevent two specific types of Lambda function misconfigurations within the Workloads Organizational Unit (OU). The first statement ensures that Lambda functions cannot be configured to allow invocation by any AWS customer. The second statement ensures that Lambda Function URLs are created or updated with AWS_IAM authentication only, preventing unauthenticated access.

JSON Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PreventPublicLambdaPolicy",
      "Effect": "Deny",
      "Action": ["lambda:AddPermission"],
      "Resource": ["*"],
      "Condition": {
        "StringEquals": {
          "lambda:Principal": ["*"]
        }
      }
    },
    {
      "Sid": "EnforceIAMAuthenticationForFunctionUrls",
      "Effect": "Deny",
      "Action": [
        "lambda:CreateFunctionUrlConfig",
        "lambda:UpdateFunctionUrlConfig"
      ],
      "Resource": "arn:*:lambda:*:*:function/*",
      "Condition": {
        "StringNotEquals": {
          "lambda:FunctionUrlAuthType": "AWS_IAM"
        }
      }
    }
  ]
}

Explanation

Statements

  1. PreventPublicLambdaPolicy

    • Sid: "PreventPublicLambdaPolicy" - A unique identifier for this specific statement within the policy.
    • Effect: "Deny" - This policy denies the specified actions.
    • Action: lambda:AddPermission - Prevents adding permissions that could allow invocation by any AWS customer.
    • Resource: ["*"] - Applies to all Lambda functions.
    • Condition:
      • StringEquals: Ensures the policy applies if the lambda:Principal is "*", which represents all AWS accounts.

  2. EnforceIAMAuthenticationForFunctionUrls

    • Sid: "EnforceIAMAuthenticationForFunctionUrls" - A unique identifier for this specific statement within the policy.
    • Effect: "Deny" - This policy denies the specified actions.
    • Action:
      • lambda:CreateFunctionUrlConfig
      • lambda:UpdateFunctionUrlConfig
    • Resource: arn:*:lambda:*:*:function/* - Applies to all Lambda functions.
    • Condition:
      • StringNotEquals: Ensures the policy applies if lambda:FunctionUrlAuthType is not "AWS_IAM", thereby enforcing IAM authentication.

When to Use This Policy

  • Security Enforcement: Use this policy to prevent the misconfiguration of Lambda functions that could expose them to unauthorized access.
  • Organizational Compliance: Ensures that Lambda functions within the Workloads OU comply with security best practices by enforcing strict access controls.

Benefits

  • Enhanced Security: Prevents public access to Lambda functions, reducing the risk of unauthorized invocation.
  • Controlled Access: Ensures that Lambda Function URLs use IAM authentication, thereby restricting access to authorized users only.
  • Compliance: Helps maintain organizational compliance with security policies by enforcing consistent configuration standards.

Potential Drawbacks

  • Restricted Flexibility: May limit the ability of developers to configure Lambda functions in certain ways, potentially requiring exceptions for specific use cases.
  • Management Overhead: Requires ongoing management to ensure that the policy conditions and exceptions are appropriately maintained.

Summary

This SCP is essential for maintaining the security and integrity of Lambda functions within your Workloads OU. By preventing public access and enforcing IAM authentication for Lambda Function URLs, it ensures that your functions are protected against unauthorized access and potential security breaches. Regularly review and update the policy to ensure it aligns with your evolving organizational requirements and security practices.

Sources