restore awslambda_function_not_publicly_accessible check

prowler-cloud · Dec 22, 2023 · bce1f02 · bce1f02
1 parent 9b87e29
commit bce1f02
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 32 deletions.
diff --git a/...function_not_publicly_accessible/awslambda_function_not_publicly_accessible.metadata.json b/...function_not_publicly_accessible/awslambda_function_not_publicly_accessible.metadata.json
@@ -1,30 +1,32 @@
 {
  "Provider": "aws",
- "CheckID": "awslambda_function_serverless_architecture",
- "CheckTitle": "Ensure AWS Lambda function uses a serverless architecture",
- "CheckType": ["Serverless Architecture"],
+ "CheckID": "awslambda_function_not_publicly_accessible",
+ "CheckTitle": "Check if Lambda functions have resource-based policy set as Public.",
+ "CheckType": [],
  "ServiceName": "lambda",
  "SubServiceName": "",
- "ResourceIdTemplate": "arn:aws:lambda:{region}:{account-id}:function:{function-name}",
- "Severity": "medium",
- "ResourceType": "AWS::Lambda::Function",
- "Description": "Verify if an AWS Lambda function uses a serverless architecture by checking if it is part of an AWS SAM deployment.",
- "Risk": "AWS SAM deployments are often associated with serverless architectures. A Lambda function that is part of an AWS SAM deployment is considered to be using a serverless architecture.",
- "RelatedUrl": "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-sam.html",
+ "ResourceIdTemplate": "arn:partition:lambda:region:account-id:function/function-name",
+ "Severity": "critical",
+ "ResourceType": "AwsLambdaFunction",
+ "Description": "Check if Lambda functions have resource-based policy set as Public.",
+ "Risk": "Publicly accessible services could expose sensitive data to bad actors.",
+ "RelatedUrl": "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html",
  "Remediation": {
  "Code": {
- "CLI": "N/A",
- "NativeIaC": "N/A",
- "Other": "N/A",
- "Terraform": "N/A"
+ "CLI": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-exposed.html",
+ "NativeIaC": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-exposed.html",
+ "Other": "",
+ "Terraform": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/Lambda/function-exposed.html"
  },
  "Recommendation": {
- "Text": "Consider reviewing the AWS SAM documentation to understand the characteristics of serverless architectures. Ensure that your Lambda functions align with your architectural principles.",
- "Url": "https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/what-is-sam.html"
+ "Text": "Grant usage permission on a per-resource basis and applying least privilege principle.",
+ "Url": "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html"
  }
  },
- "Categories": ["serverless-architecture"],
+ "Categories": [
+ "internet-exposed"
+ ],
  "DependsOn": [],
  "RelatedTo": [],
- "Notes": "This check determines if an AWS Lambda function is using a serverless architecture based on whether it is part of an AWS SAM deployment."
+ "Notes": ""
 }
diff --git a/.../awslambda_function_not_publicly_accessible/awslambda_function_not_publicly_accessible.py b/.../awslambda_function_not_publicly_accessible/awslambda_function_not_publicly_accessible.py
@@ -1,28 +1,43 @@
 from prowler.lib.check.models import Check, Check_Report_AWS
 from prowler.providers.aws.services.awslambda.awslambda_client import awslambda_client
 
-class awslambda_function_serverless_architecture(Check):
- """awslambda_function_serverless_architecture verifies if an AWS Lambda function uses a serverless architecture"""
 
+class awslambda_function_not_publicly_accessible(Check):
  def execute(self):
  findings = []
-
- for lambda_function in awslambda_client.functions:
+ for function in awslambda_client.functions.values():
  report = Check_Report_AWS(self.metadata())
-
- report.region = lambda_function.region
- report.resource_id = lambda_function.name
- report.resource_arn = lambda_function.arn
- report.resource_tags = lambda_function.tags
+ report.region = function.region
+ report.resource_id = function.name
+ report.resource_arn = function.arn
+ report.resource_tags = function.tags
 
  report.status = "PASS"
- report.status_extended = f"AWS Lambda function {lambda_function.name} is not using a serverless architecture."
-
- # Check if the Lambda function is part of an AWS SAM deployment
- if "AWS::Serverless" in lambda_function.resource_type:
+ report.status_extended = f"Lambda function {function.name} has a policy resource-based policy not public."
+
+ public_access = False
+ if function.policy:
+ for statement in function.policy["Statement"]:
+ # Only check allow statements
+ if statement["Effect"] == "Allow":
+ if (
+ "*" in statement["Principal"]
+ or (
+ "AWS" in statement["Principal"]
+ and "*" in statement["Principal"]["AWS"]
+ )
+ or (
+ "CanonicalUser" in statement["Principal"]
+ and "*" in statement["Principal"]["CanonicalUser"]
+ )
+ ):
+ public_access = True
+ break
+
+ if public_access:
  report.status = "FAIL"
- report.status_extended = f"AWS Lambda function {lambda_function.name} is using a serverless architecture."
+ report.status_extended = f"Lambda function {function.name} has a policy resource-based policy with public access."
 
  findings.append(report)
 
- return findings
+ return findings