AWS securityhub high security documentation change
Summary
Added 'Impact traits for Lambda functions' section detailing privilege escalation patterns and security risks, while removing some specific IAM policy guidance sections
Security assessment
The change introduces detailed documentation about 15 specific privilege escalation vectors (e.g., 'Trust policy hijack', 'Disable audit trail', 'Credential minting') that could be exploited if Lambda functions have excessive permissions. These additions directly address security vulnerabilities by explaining concrete attack scenarios and recommending least privilege principles. The removed sections about administrative policies are replaced with more specific security-focused impact analysis.
Diff
diff --git a/securityhub/latest/userguide/exposure-lambda-function.md b/securityhub/latest/userguide/exposure-lambda-function.md index a07569590..b469a1e92 100644 --- a//securityhub/latest/userguide/exposure-lambda-function.md +++ b//securityhub/latest/userguide/exposure-lambda-function.md @@ -7 +7 @@ -Misconfiguration traits for Lambda functionsReachability traits for Lambda functionsVulnerability traits for Lambda functions +Misconfiguration traits for Lambda functionsReachability traits for Lambda functionsVulnerability traits for Lambda functionsImpact traits for Lambda functions @@ -29,4 +28,0 @@ The remediation guidance provided in this topic might require additional consult - * [The IAM Role associated with the Lambda function has an Administrative access policy](./exposure-lambda-function.html#administrative-access-policy) - - * [The IAM Role associated with the Lambda function has a policy with administrative access to an AWS Service](./exposure-lambda-function.html#service-admin-policy) - @@ -48,0 +45 @@ The remediation guidance provided in this topic might require additional consult + * [Impact traits for Lambda functions](./exposure-lambda-function.html#lambda-impact) @@ -49,0 +47 @@ The remediation guidance provided in this topic might require additional consult + * [Full control privileged executor](./exposure-lambda-function.html#full-control-privileged-executor) @@ -50,0 +49 @@ The remediation guidance provided in this topic might require additional consult + * [Direct policy escalation](./exposure-lambda-function.html#direct-policy-escalation) @@ -52,23 +51 @@ The remediation guidance provided in this topic might require additional consult -## Misconfiguration traits for Lambda functions - -Here are misconfiguration traits for Lambda functions and suggested remediation steps. - -### Lambda function is deployed outside of an Amazon VPC - -Lambda functions by default are deployed with access to the public internet. This default configuration gives Lambda functions the ability to reach AWS service endpoints and external APIs, but it also exposes them to potential security risks. Functions with internet access could be used to exfiltrate data, communicate with unauthorized servers, or become entry points for external actors if compromised. Amazon VPC provides network isolation by restricting your Lambda functions to communicate only with resources within your defined private network. Following standard security principles, we recommend deploying Lambda functions within a VPC to improve security through network isolation. - -###### Attach function to VPC - -In the exposure finding, open the resource with the hyperlink. This will open the Lambda function window. To secure your Lambda function by restricting its network access, attach it to a VPC that has the appropriate network controls in place. Before attaching your function to a VPC, plan for any AWS service access it may need, as functions in private subnets without NAT gateways or VPC endpoints won't be able to reach AWS service APIs. For information about how to attach a Lambda function to an Amazon VPC in your account, see [Attaching Lambda functions to an Amazon VPC in your AWS account](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#configuration-vpc-attaching). Consider using VPC endpoints for service connectivity without internet access if your function requires to access AWS services from within a private subnet. Configure a NAT Gateway if you require outbound internet connectivity from private subnets. - -### The IAM Role associated with the Lambda function has an Administrative access policy - -Administrative access policies provide Lambda functions with broad permissions to AWS services and resources. These policies typically include permissions that are not required for functionality. Providing an IAM identity with an administrative access policy on a Lambda function, instead of the minimum set of permissions that the execution role needs, can increase the scope of an attack if the function is compromised. Following standard security principles, AWS recommends that you grant least privileges, which means that you grant only the permissions required to perform a task. - - 1. **Review and identify administrative policies** - -In the exposure finding, identify the role name. Go to the IAM dashboard and find the role with the role name identified previously. Review the permissions policy attached to the IAM role. If the policy is an AWS managed policy, look for `AdministratorAccess` or `IAMFullAccess`. Otherwise, in the policy document, look for statements that have the statements `"Effect": "Allow", "Action": "*"` and `"Resource": "*"` together. - - 2. **Implement least privilege access** - -Replace administrative policies with those that grant only the specific permissions required for the function to operate. For more information on security best practices for IAM roles, see [Apply least-privilege permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) in the _AWS Identity and Access Management User Guide_. To identify unnecessary permissions, you can use the IAM Access Analyzer to understand how to modify your policy based on access history. For more information, see [Findings for external and unused access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html) in the _AWS Identity and Access Management User Guide_. Alternatively, you can create a new IAM role to avoid impacting other Lambda functions using the existing role. In this scenario, create a new IAM role. Then associate the new role with the instance. For information about replacing an IAM role for a function, see [Update a function’s execution role](https://docs.aws.amazon.com/lambda/latest/dg/permissions-executionrole-update.html#update-execution-role) in the _AWS Lambda Developer Guide_. + * [Trust policy hijack](./exposure-lambda-function.html#trust-policy-hijack) @@ -76 +53 @@ Replace administrative policies with those that grant only the specific permissi - 3. **Secure configuration considerations** + * [Data ransomware](./exposure-lambda-function.html#data-ransomware) @@ -78 +55 @@ Replace administrative policies with those that grant only the specific permissi -If administrative access permissions are necessary for the instance, consider implementing these additional security controls to mitigate risk: + * [Remove restriction](./exposure-lambda-function.html#remove-restriction) @@ -80 +57 @@ If administrative access permissions are necessary for the instance, consider im - * **Multi-factor authentication (MFA)** – MFA adds an additional security layer by requiring an additional form of authentication. This helps prevent unauthorized access even if credentials are compromised. For more information, see [Require multi-factor authentication (MFA)](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users) in the _AWS Identity and Access Management User Guide_. + * [Pass role create executor](./exposure-lambda-function.html#pass-role-create-executor) @@ -82 +59 @@ If administrative access permissions are necessary for the instance, consider im - * **IAM conditions** – Setting up condition elements allows you to restrict when and how administrative permissions can be used based on factors like source IP or MFA age. For more information, see [Use conditions in IAM policies to further restrict access](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-policy-conditions) in the _IAM User Guide_. + * [Swap role existing executor](./exposure-lambda-function.html#swap-role-existing-executor) @@ -84 +61 @@ If administrative access permissions are necessary for the instance, consider im - * **Permission boundaries** – Permission boundaries establish the maximum permissions a role can have, providing guardrails for roles with administrative access. For more information, see [Use permissions boundaries to delegate permissions management within an account](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-permissions-boundaries) in the _AWS Identity and Access Management User Guide_. + * [Role chain escalation](./exposure-lambda-function.html#role-chain-escalation) @@ -85,0 +63 @@ If administrative access permissions are necessary for the instance, consider im + * [Inject code privileged executor](./exposure-lambda-function.html#inject-code-privileged-executor) @@ -86,0 +65 @@ If administrative access permissions are necessary for the instance, consider im + * [Disable audit trail](./exposure-lambda-function.html#disable-audit-trail) @@ -87,0 +67 @@ If administrative access permissions are necessary for the instance, consider im + * [Access existing executor](./exposure-lambda-function.html#access-existing-executor) @@ -89 +69 @@ If administrative access permissions are necessary for the instance, consider im -### The IAM Role associated with the Lambda function has a policy with administrative access to an AWS Service + * [Credential minting](./exposure-lambda-function.html#credential-minting) @@ -91 +71 @@ If administrative access permissions are necessary for the instance, consider im -Service admin policies allow Lambda functions to perform all actions within a specific AWS service. These policies typically grant more permissions than necessary for a function's operation. If a Lambda function with a service admin policy is compromised, an attacker could use those permissions to potentially access or modify sensitive data or services within your AWS environment. Following standard security principles, we recommend that you grant least privileges, which means that you grant only the permissions required to perform a task. + * [Pass role data access](./exposure-lambda-function.html#pass-role-data-access) @@ -93 +73 @@ Service admin policies allow Lambda functions to perform all actions within a sp - 1. **Review and identify administrative policies** + * [Pass role task hijack](./exposure-lambda-function.html#pass-role-task-hijack) @@ -95 +75 @@ Service admin policies allow Lambda functions to perform all actions within a sp -In the exposure finding, identify the role name in the ARN. Go to the IAM dashboard, and find the role name. Review the permissions policy attached to the role. If the policy is an AWS managed policy, look for `AdministratorAccess` or `IAMFullAccess`. Otherwise, in the policy document, look for statements that have the statements `"Effect": "Allow", "Action": "*"` and `"Resource": "*"` . + * [Single hop data access](./exposure-lambda-function.html#single-hop-data-access) @@ -97 +77 @@ In the exposure finding, identify the role name in the ARN. Go to the IAM dashbo - 2. **Implement least privilege access** + * [Capability advancing](./exposure-lambda-function.html#capability-advancing) @@ -99 +78,0 @@ In the exposure finding, identify the role name in the ARN. Go to the IAM dashbo -Replace administrative policies with those that grant only the specific permissions required for the function to operate. For more information, see [Apply least-privilege permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) in the _AWS Identity and Access Management User Guide_. To identify unnecessary permissions, you can use the IAM Access Analyzer to understand how to modify your policy based on access history. For more information, see [Findings for external and unused access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html) in the _AWS Identity and Access Management User Guide_. Alternatively, you can create a new IAM role to avoid impacting other Lambda functions that are using the existing role. In this scenario, create a new IAM role, then associate the new IAM role with the instance. For instructions on replacing an IAM role for a function, see [Update a function’s execution role](https://docs.aws.amazon.com/lambda/latest/dg/permissions-executionrole-update.html#update-execution-role) in the _AWS Lambda Developer Guide_. @@ -101 +79,0 @@ Replace administrative policies with those that grant only the specific permissi - 3. **Secure configuration considerations** @@ -103 +80,0 @@ Replace administrative policies with those that grant only the specific permissi -If service-level administrative permissions are necessary for the instance, consider implementing these additional security controls to mitigate risk: @@ -105 +82 @@ If service-level administrative permissions are necessary for the instance, cons - * **Multi-factor authentication (MFA)** – MFA adds an additional security layer by requiring an additional form of authentication. This helps prevent unauthorized access even if credentials are compromised. For more information, see [Require multi-factor authentication (MFA)](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users) in the _AWS Identity and Access Management User Guide_. +## Misconfiguration traits for Lambda functions @@ -107 +84 @@ If service-level administrative permissions are necessary for the instance, cons - * **IAM conditions** – Setting up condition elements allows you to restrict when and how administrative permissions can be used based on factors like source IP or MFA age. For more information, see [Use conditions in IAM policies to further restrict access](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-policy-conditions) in the _AWS Identity and Access Management User Guide_. +Here are misconfiguration traits for Lambda functions and suggested remediation steps. @@ -109 +86 @@ If service-level administrative permissions are necessary for the instance, cons - * **Permissions boundaries** – Permission boundaries establish the maximum permissions a role can have, providing guardrails for roles with administrative access. For more information, see [Use permissions boundaries to delegate permissions management](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-permissions-boundaries) in the _AWS Identity and Access Management User Guide_. +### Lambda function is deployed outside of an Amazon VPC @@ -110,0 +88 @@ If service-level administrative permissions are necessary for the instance, cons +Lambda functions by default are deployed with access to the public internet. This default configuration gives Lambda functions the ability to reach AWS service endpoints and external APIs, but it also exposes them to potential security risks. Functions with internet access could be used to exfiltrate data, communicate with unauthorized servers, or become entry points for external actors if compromised. Amazon VPC provides network isolation by restricting your Lambda functions to communicate only with resources within your defined private network. Following standard security principles, we recommend deploying Lambda functions within a VPC to improve security through network isolation. @@ -111,0 +90 @@ If service-level administrative permissions are necessary for the instance, cons +###### Attach function to VPC @@ -112,0 +92 @@ If service-level administrative permissions are necessary for the instance, cons +In the exposure finding, open the resource with the hyperlink. This will open the Lambda function window. To secure your Lambda function by restricting its network access, attach it to a VPC that has the appropriate network controls in place. Before attaching your function to a VPC, plan for any AWS service access it may need, as functions in private subnets without NAT gateways or VPC endpoints won't be able to reach AWS service APIs. For information about how to attach a Lambda function to an Amazon VPC in your account, see [Attaching Lambda functions to an Amazon VPC in your AWS account](https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html#configuration-vpc-attaching). Consider using VPC endpoints for service connectivity without internet access if your function requires to access AWS services from within a private subnet. Configure a NAT Gateway if you require outbound internet connectivity from private subnets. @@ -169,0 +150,70 @@ Review the **References** section in the **Vulnerability** tab of the trait. Ama +## Impact traits for Lambda functions + +Impact traits describe the potential blast radius of an exposure. Security Hub analyzes the effective permissions of the AWS Identity and Access Management principal associated with the Lambda function to determine the downstream resources an attacker could reach if the function is compromised. Each impact trait identifies a specific privilege escalation pattern. To reduce your blast radius, review the permission paths described in each trait and remove any unnecessary privileges. + +Following standard security principles, AWS recommends that you grant least privilege — only the permissions required to perform a task. Replace broad policies with scoped-down policies that grant only the specific actions and resources needed. To identify unused permissions to remove, use IAM Access Analyzer to generate recommendations based on access history. For more information, see [Findings for external and unused access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html) and [Apply least-privilege permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) in the _IAM User Guide_. + +### Full control privileged executor + +The associated principal can pass a role to and inject code into a compute resource that already has elevated permissions. This allows the principal to gain full control over the executor and perform any action that the executor's role permits. + +### Direct policy escalation + +The associated principal can directly modify IAM policies to grant itself additional permissions, escalating its own privileges without intermediate resources. + +### Trust policy hijack + +The associated principal can modify the trust policy of an IAM role to allow itself to assume that role, gaining the role's permissions. + +### Data ransomware + +The associated principal can encrypt or delete data in a way that could be used for ransomware, such as encrypting Amazon S3 objects with a customer-managed AWS KMS key and then modifying the key policy. + +### Remove restriction + +The associated principal can remove security restrictions such as permission boundaries, service control policies, or resource-based policy deny statements, expanding what other principals or the resource itself can do. + +### Pass role create executor + +The associated principal can create a new compute resource (such as a Lambda function or Amazon EC2 instance) and pass it a privileged role, effectively laundering its own permissions through the new resource. + +### Swap role existing executor + +The associated principal can change the IAM role attached to an existing compute resource, replacing it with a more privileged role to escalate access. + +### Role chain escalation + +The associated principal can assume a sequence of roles, where each role in the chain has progressively broader permissions, ultimately reaching a highly privileged role. + +### Inject code privileged executor + +The associated principal can inject code into a running compute resource that has elevated permissions, executing arbitrary operations under that resource's privileged role. + +### Disable audit trail + +The associated principal can disable logging or monitoring services such as CloudTrail, effectively covering its tracks during or after an escalation. + +### Access existing executor + +The associated principal can invoke or connect to an existing compute resource and use its attached role to perform privileged actions. + +### Credential minting + +The associated principal can create new long-term credentials (such as access keys or login profiles) for other principals, establishing persistent access paths that survive password rotations or session expirations. + +### Pass role data access + +The associated principal can create a service resource and pass it a role that has access to sensitive data, gaining indirect access to that data through the new resource. + +### Pass role task hijack + +The associated principal can pass a role to a scheduled or event-driven task (such as a Lambda function triggered by an event), allowing it to execute arbitrary code with that role's permissions. + +### Single hop data access + +The associated principal can directly access sensitive data resources (such as Amazon S3 buckets or DynamoDB tables) through its existing permissions, without needing intermediate escalation steps. + +### Capability advancing + +The associated principal has a privilege escalation path that advances its overall capabilities beyond what its directly assigned permissions would suggest. This is a general classification for paths that do not match a more specific pattern. +