Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add policy for AWS Lambda publicly accessible #1469

Merged
merged 3 commits into from
Jan 24, 2025
Merged

Add policy for AWS Lambda publicly accessible #1469

merged 3 commits into from
Jan 24, 2025

Conversation

spectruni
Copy link
Contributor

Background

This enabled to identify any publicly accessible Amazon Lambda functions in order to protect against unauthorized access that would allow anonymous invocation of these functions.

Changes

Added a new policy, AWS.Lambda.PublicAccess, to validate that the policy attached to the Lambda function prohibits public access

Testing

  • AWS Lambda Public Access (expected to Fail): tests a function publicly accessible (Principal is {"AWS":"*"}, effect is Allow and no Condition clause
  • AWS Lambda Condition for Access (expected to Pass): tests a function not publicly accessible (Principal is {"AWS":"*"}, effect is Allow but Condition clause is specified
  • AWS Lambda Effect Not Allow (expected to Pass): tests a function not publicly accessible (Principal is {"AWS":"*"}, but effect is Block
  • AWS Lambda Principal Specified (expected to Pass): tests a function not publicly accessible (Principal is neither {"AWS":"*"} nor *, effect is Allow and Condition clause is specified

@spectruni spectruni requested a review from a team as a code owner January 13, 2025 14:20
arielkr256
arielkr256 requested changes Jan 17, 2025
View reviewed changes
Copy link
Contributor

@arielkr256 arielkr256 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks great! Left some suggestions around deep_get

policies/aws_lambda_policies/aws_lambda_public_access.py Show resolved Hide resolved
policies/aws_lambda_policies/aws_lambda_public_access.py Outdated Show resolved Hide resolved
policies/aws_lambda_policies/aws_lambda_public_access.py Outdated Show resolved Hide resolved
policies/aws_lambda_policies/aws_lambda_public_access.py Outdated Show resolved Hide resolved
policies/aws_lambda_policies/aws_lambda_public_access.yml Outdated Show resolved Hide resolved
policies/aws_lambda_policies/aws_lambda_public_access.yml Show resolved Hide resolved
@spectruni spectruni requested a review from arielkr256 January 20, 2025 09:52
@arielkr256 arielkr256 added the policies Real-time misconfiguration detections label Jan 24, 2025
arielkr256
arielkr256 approved these changes Jan 24, 2025
View reviewed changes
Copy link
Contributor

@arielkr256 arielkr256 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thank you @spectruni !

@arielkr256 arielkr256 merged commit ffbe748 into panther-labs:develop Jan 24, 2025
6 checks passed
le4ker pushed a commit that referenced this pull request Jan 28, 2025
@spectruni @arielkr256 @le4ker
Add policy for AWS Lambda publicly accessible (#1469)
ef32c42 
Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arielkr256 arielkr256 arielkr256 approved these changes

Assignees
No one assigned
Labels
policies Real-time misconfiguration detections
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@spectruni @arielkr256