Lateral movement

Lambda Function with Admin Privileges

Risk Level

Hazardous (3)



The IAM role associated with {AwsLambdaFunction} grants the function with admin privileges (i.e. 'Action': '*' on 'Resource': '*'. An attacker could exploit the privileges for his needs.
  • Recommended Mitigation

    Define the specific permissions needed for the function in the IAM role policy - can be done by detach {AwsLambdaFunction.FunctionRole} role from the privileged policy, and attach it to a more explicit one.