Lambda Permission Principal Is Wildcard

Query id: e08ed7eb-f3ef-494d-9d22-2e3db756a347
Query name: Lambda Permission Principal Is Wildcard
Platform: Terraform
Severity: Medium
Category: Access Control
URL: Github

Description¶

Lambda Permission Principal should not contain a wildcard.
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - tf file

resource "aws_lambda_permission" "positive1" {
  statement_id  = "AllowExecutionFromCloudWatch"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.test_lambda.function_name
  principal     = "*"
  source_arn    = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily"
  qualifier     = aws_lambda_alias.test_alias.name
}

Code samples without security vulnerabilities¶

Negative test num. 1 - tf file

resource "aws_lambda_permission" "negative1" {
  statement_id  = "AllowExecutionFromCloudWatch"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.test_lambda.function_name
  principal     = "events.amazonaws.com"
  source_arn    = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily"
  qualifier     = aws_lambda_alias.test_alias.name
}