Lateral movement

Lambda Function with Admin Privileges

Risk Level

Hazardous (3)

Compliance Frameworks


The IAM role associated with {AwsLambdaFunction} grants the function with admin privileges (i.e. 'Action': '*' on 'Resource': '*'. An attacker could exploit the privileges for his needs.
  • Recommended Mitigation

    Define the specific permissions needed for the function in the IAM role policy - can be done by detach {AwsLambdaFunction.FunctionRole} role from the privileged policy, and attach it to a more explicit one. ## Remediation --- >1. Sign in to the AWS Management Console and open the **[IAM console](**. >2. In the navigation pane, choose **Roles**, and then select the desired role. >3. In order to attach the role to a more explicit policy: >>a. Under **Permissions policies** in **Permissions** tab, choose **Add permissions**. >>b. Choose **Attach policies**. >>c. Select the desired policy. >>d. Choose **Attach policies**. >4. In order to detach the role from the permissive policy: >>a. Under **Permissions policies** in **Permissions** tab, select the permissive policy. >>b. Choose **Remove**. >>c. In the confirmation dialog box, choose **Delete**.