Lambda Permission Misconfigured

  • Query id: 9b83114b-b2a1-4534-990d-06da015e47aa
  • Query name: Lambda Permission Misconfigured
  • Platform: CloudFormation
  • Severity: Low
  • Category: Best Practices
  • URL: Github

Description

Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
Resources:
  s3Permission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt function.Arn
      Action: lambda:GetFunction
      Principal: s3.amazonaws.com
      SourceAccount: !Ref 'AWS::AccountId'
      SourceArn: !GetAtt bucket.Arn
Postitive test num. 2 - json file
{
  "Resources": {
    "s3Permission": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "SourceArn": "bucket.Arn",
        "FunctionName": "function.Arn",
        "Action": "lambda:GetFunction",
        "Principal": "s3.amazonaws.com",
        "SourceAccount": "AWS::AccountId"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
  s3Permission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt function.Arn
      Action: lambda:InvokeFunction
      Principal: s3.amazonaws.com
      SourceAccount: !Ref 'AWS::AccountId'
      SourceArn: !GetAtt bucket.Arn
Negative test num. 2 - json file
{
  "Resources": {
    "s3Permission": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "FunctionName": "function.Arn",
        "Action": "lambda:InvokeFunction",
        "Principal": "s3.amazonaws.com",
        "SourceAccount": "AWS::AccountId",
        "SourceArn": "bucket.Arn"
      }
    }
  }
}