Lambda Permission Principal Is Wildcard

• Query id: 1d972c56-8ec2-48c1-a578-887adb09c57a
• Query name: Lambda Permission Principal Is Wildcard
• Platform: Ansible
• Severity: Medium
• Category: Access Control
• URL: Github

Description

Lambda Permission Principal should not contain a wildcard.
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file

- name: Lambda S3 event notification
  community.aws.lambda_policy:
    state: present
    function_name: functionName
    alias: Dev
    statement_id: lambda-s3-myBucket-create-data-log
    action: lambda:AddPermission
    principal: "*"
    source_arn: arn:aws:s3:eu-central-1:123456789012:bucketName
    source_account: 123456789012

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: Lambda S3 event notification negative
  community.aws.lambda_policy:
    state: present
    function_name: functionName
    alias: Dev
    statement_id: lambda-s3-myBucket-create-data-log
    action: lambda:AddPermission
    principal: s3.amazonaws.com
    source_arn: arn:aws:s3:eu-central-1:123456789012:bucketName
    source_account: 123456789012