AWS Security Hub flags Zappa deployed lambda functions with an s3 event source as allowing public access.
PCI.Lambda.1 Lambda functions should prohibit public access
CRITICAL:
This AWS control checks whether the Lambda function policy attached to the Lambda resource prohibits public access.
Related requirements: PCI DSS 1.2.1, PCI DSS 1.3.1, PCI DSS 1.3.2, PCI DSS 1.3.4, PCI DSS 7.2.1
For directions on how to fix this issue, consult the AWS Security Hub PCI DSS documentation.
https://docs.aws.amazon.com/console/securityhub/PCI.Lambda.1/remediation
Expected Behavior
While I'm not sure this satisfies cases where there are multiple AWS accounts involved, it seems to me the default behavior should be to create private lambda functions by including the AWS:SourceAccount in the lambda resource policy conditions as shown in my steps to reproduce below.
Actual Behavior
Zappa creates lambdas that can be invoked by anyone in control of the s3 bucket leading to AWS Security Hub flagging a security finding.
Possible Fix
Steps to Reproduce
Since s3 buckets are involved and names are global, you'll need to edit references to the s3 bucket name in the below steps
note the policy conditions only check if the principal is s3.amazonaws.com. This means anyone in control of the s3 bucket in the event source can trigger your lambda function. For example, if you were to delete the bucket, someone else may create a bucket with the same name, drop an object in it, and trigger your lambda.
If we add the aws account ARN as a condition, the function is no longer publically invokable, and AWS security hub is satisfied
Context
AWS Security Hub flags Zappa deployed lambda functions with an s3 event source as allowing public access.
Expected Behavior
While I'm not sure this satisfies cases where there are multiple AWS accounts involved, it seems to me the default behavior should be to create private lambda functions by including the AWS:SourceAccount in the lambda resource policy conditions as shown in my steps to reproduce below.
Actual Behavior
Zappa creates lambdas that can be invoked by anyone in control of the s3 bucket leading to AWS Security Hub flagging a security finding.
Possible Fix
Steps to Reproduce
Since s3 buckets are involved and names are global, you'll need to edit references to the s3 bucket name in the below steps
Your Environment
pip freeze
: argcomplete==1.12.3 boto3==1.18.42 botocore==1.21.42 certifi==2021.5.30 cfn-flip==1.2.3 charset-normalizer==2.0.5 click==8.0.1 durationpy==0.5 future==0.18.2 hjson==3.0.2 idna==3.2 jmespath==0.10.0 kappa==0.6.0 pep517==0.11.0 pip-tools==6.2.0 placebo==0.9.0 python-dateutil==2.8.2 python-slugify==5.0.2 PyYAML==5.4.1 requests==2.26.0 s3transfer==0.5.0 six==1.16.0 text-unidecode==1.3 toml==0.10.2 tomli==1.2.1 tqdm==4.62.2 troposphere==3.0.3 urllib3==1.26.6 Werkzeug==0.16.1 wsgi-request-logger==0.4.6 zappa==0.53.0zappa_settings.json
: See steps to reproduce