Ensure Lambda function does not have cross account access

Error: Lambda function has cross account access

Bridgecrew Policy ID: BC_AWS_SERVERLESS_2
Severity: HIGH

Lambda function has cross account access


AWS Lambda permissions are determined by the IAM execution role associated with the function. With an elevated execution role, an attacker can control the privileges that your Lambda function has. Ensure that all your Amazon Lambda functions are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross account access (i.e. unknown function invocation requests).

We recommend you grant the IAM execution role the necessary permissions that your Lambda function needs, instead of providing administrative permissions.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon Lambda console.
  3. Navigate to the AWS Lambda section, select Functions.
  4. For the function that you want to examine and access its configuration page, click the function's name.
  5. Select the Triggers tab, then click View function policy. The panel with the policy used to manage the function invocation permissions will expand.
  6. Inside the Lambda function policy box, identify the AWS account ARN.
  7. Remove AWS account ARN that grants cross account access.