prowler icon indicating copy to clipboard operation
prowler copied to clipboard

Published 20 hours ago verified publisher icon prowler-cloud

Many false positives for check awslambda_function_not_publicly_accessible

Open pr3l14t0r opened this issue 6 months ago • 5 comments

Steps to Reproduce

Ahoy! I am running prowler periodically on AWS. Since the latest version (Prowler 4.3.5) i am getting a lot of false positives on check awslambda_function_not_publicly_accessible.

From my understanding, the code is missing a check whether a condition is set in the resource based policy.

Here's a redacted example policy that i have in place for a lambda-script:

{
  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "awslambda-myLambdaScript-LambdaInvokePermission",
      "Effect": "Allow",
      "Principal": {
        "Service": "ses.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:<REGION>:<ACCOUNT-ID>:function:myLambdaScript",
      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "<ACCOUNT-ID>"
        }
      }
    }
  ]
}

Notice that there's a condition set to mitigate access from public. This condition allows SES to only invoke this function from within the account.

But still this policy would get flagged as failed check, stating:

Lambda function myLambdaFunction has a policy resource-based policy with public access.

Neither am i a python expert, nor a prowler-developer, but shouldn't a condition statement get taken into consideration to determine whether a function is publicly accessible or not?

Anyway - I have multiple of such Resource-based policy documents and all of these get flagged as publicly accessible, when they are in fact not.

Could you double check and help me out verifying whether it's a false positive // the check's code is wrong?

Cheers. :)

Expected behavior

The check awslambda_function_not_publicly_accessible should not fail when the Resource-based policy document contains a Condition which restricts access, like:

      "Condition": {
        "StringEquals": {
          "AWS:SourceAccount": "<ACCOUNT-ID>"
        }
      }

Actual Result with Screenshots or Logs

When using a Condition, the check would still fail and state:

Lambda function myLambdaFunction has a policy resource-based policy with public access.

How did you install Prowler?

From pip package (pip install prowler)

Environment Resource

  1. Fargate Task

OS used

Container source image: docker.io/library/python:3.12-slim

cat /etc/os-release

PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"

Prowler version

4.3.5

Pip version

24.2

Context

No response

pr3l14t0r avatar Aug 27 '24 08:08 pr3l14t0r