AWS Lambda layer modified to allow public access
Description
AlphaSOC detected that an AWS Lambda layer version was made publicly accessible. Lambda layers contain code and data that can be shared across multiple Lambda functions. When a layer is made public, anyone with an AWS account can reference and use it in their Lambda functions. This configuration change could potentially expose sensitive code or data, or reveal implementation details that could be leveraged by threat actors.
Impact
A publicly accessible Lambda layer poses security risks as it could allow unauthorized parties to access proprietary code, sensitive configurations, or embedded credentials. Additionally, threat actors could analyze the exposed code to identify vulnerabilities or business logic that could be exploited in targeted attacks. Any secrets, API keys, or sensitive data included in the layer would be accessible to anyone who references it.
Severity
| Severity | Condition |
|---|---|
Medium | AWS Lambda layer modified to allow public access |
Investigation and Remediation
Examine AWS CloudTrail audit logs to identify who made the layer public and verify whether this action was authorized. If unauthorized, revoke public access immediately by updating the layer's resource policy. Audit all Lambda functions that reference this layer and review the layer's code for any sensitive data exposure. Consider rotating any credentials or secrets that may have been exposed and implementing preventive controls to restrict layer sharing permissions.