lambda-function-public-access-prohibited - AWS Config


Checks if the AWS Lambda function policy attached to the Lambda resource prohibits public access. If the Lambda function policy allows public access it is NON_COMPLIANT.

Context: A lambda function policy is considered to allow public access if the principal element is empty or contains a wildcard. For example, if the principal element is “” or {“AWS”: “”}. Granting public access is not recommended for security reasons. Restricting public access can help you prevent unauthorized invocations of your Lambda functions, which could compromise your data or incur unwanted costs.

To restrict access to your Lambda functions, specify the AWS account IDs or the Amazon Resource Names (ARNs) of the IAM users, roles, or services that can invoke the functions. For more information, see Granting function access to other accounts in the AWS Lambda Developer Guide.


Resource Types: AWS::Lambda::Function

Trigger type: Configuration changes

AWS Region: All supported AWS regions



AWS CloudFormation template

To create AWS Config managed rules with AWS CloudFormation templates, see Creating AWS Config Managed Rules With AWS CloudFormation Templates.