-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
restore awslambda_function_not_publicly_accessible check
- Loading branch information
Showing
2 changed files
with
49 additions
and
32 deletions.
There are no files selected for viewing
36 changes: 19 additions & 17 deletions
36
...function_not_publicly_accessible/awslambda_function_not_publicly_accessible.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,30 +1,32 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "awslambda_function_serverless_architecture", | ||
"CheckTitle": "Ensure AWS Lambda function uses a serverless architecture", | ||
"CheckType": ["Serverless Architecture"], | ||
"CheckID": "awslambda_function_not_publicly_accessible", | ||
"CheckTitle": "Check if Lambda functions have resource-based policy set as Public.", | ||
"CheckType": [], | ||
"ServiceName": "lambda", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:aws:lambda:{region}:{account-id}:function:{function-name}", | ||
"Severity": "medium", | ||
"ResourceType": "AWS::Lambda::Function", | ||
"Description": "Verify if an AWS Lambda function uses a serverless architecture by checking if it is part of an AWS SAM deployment.", | ||
"Risk": "AWS SAM deployments are often associated with serverless architectures. A Lambda function that is part of an AWS SAM deployment is considered to be using a serverless architecture.", | ||
"RelatedUrl": "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-sam.html", | ||
"ResourceIdTemplate": "arn:partition:lambda:region:account-id:function/function-name", | ||
"Severity": "critical", | ||
"ResourceType": "AwsLambdaFunction", | ||
"Description": "Check if Lambda functions have resource-based policy set as Public.", | ||
"Risk": "Publicly accessible services could expose sensitive data to bad actors.", | ||
"RelatedUrl": "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "N/A", | ||
"NativeIaC": "N/A", | ||
"Other": "N/A", | ||
"Terraform": "N/A" | ||
"CLI": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-exposed.html", | ||
"NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-exposed.html", | ||
"Other": "", | ||
"Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-exposed.html" | ||
}, | ||
"Recommendation": { | ||
"Text": "Consider reviewing the AWS SAM documentation to understand the characteristics of serverless architectures. Ensure that your Lambda functions align with your architectural principles.", | ||
"Url": "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-sam.html" | ||
"Text": "Grant usage permission on a per-resource basis and applying least privilege principle.", | ||
"Url": "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html" | ||
} | ||
}, | ||
"Categories": ["serverless-architecture"], | ||
"Categories": [ | ||
"internet-exposed" | ||
], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "This check determines if an AWS Lambda function is using a serverless architecture based on whether it is part of an AWS SAM deployment." | ||
"Notes": "" | ||
} |
45 changes: 30 additions & 15 deletions
45
.../awslambda_function_not_publicly_accessible/awslambda_function_not_publicly_accessible.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,28 +1,43 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.awslambda.awslambda_client import awslambda_client | ||
|
||
class awslambda_function_serverless_architecture(Check): | ||
"""awslambda_function_serverless_architecture verifies if an AWS Lambda function uses a serverless architecture""" | ||
|
||
class awslambda_function_not_publicly_accessible(Check): | ||
def execute(self): | ||
findings = [] | ||
|
||
for lambda_function in awslambda_client.functions: | ||
for function in awslambda_client.functions.values(): | ||
report = Check_Report_AWS(self.metadata()) | ||
|
||
report.region = lambda_function.region | ||
report.resource_id = lambda_function.name | ||
report.resource_arn = lambda_function.arn | ||
report.resource_tags = lambda_function.tags | ||
report.region = function.region | ||
report.resource_id = function.name | ||
report.resource_arn = function.arn | ||
report.resource_tags = function.tags | ||
|
||
report.status = "PASS" | ||
report.status_extended = f"AWS Lambda function {lambda_function.name} is not using a serverless architecture." | ||
|
||
# Check if the Lambda function is part of an AWS SAM deployment | ||
if "AWS::Serverless" in lambda_function.resource_type: | ||
report.status_extended = f"Lambda function {function.name} has a policy resource-based policy not public." | ||
|
||
public_access = False | ||
if function.policy: | ||
for statement in function.policy["Statement"]: | ||
# Only check allow statements | ||
if statement["Effect"] == "Allow": | ||
if ( | ||
"*" in statement["Principal"] | ||
or ( | ||
"AWS" in statement["Principal"] | ||
and "*" in statement["Principal"]["AWS"] | ||
) | ||
or ( | ||
"CanonicalUser" in statement["Principal"] | ||
and "*" in statement["Principal"]["CanonicalUser"] | ||
) | ||
): | ||
public_access = True | ||
break | ||
|
||
if public_access: | ||
report.status = "FAIL" | ||
report.status_extended = f"AWS Lambda function {lambda_function.name} is using a serverless architecture." | ||
report.status_extended = f"Lambda function {function.name} has a policy resource-based policy with public access." | ||
|
||
findings.append(report) | ||
|
||
return findings | ||
return findings |