Lambda Permission Principal Is Wildcard
- Query id: 1d6e16f1-5d8a-4379-bfb3-2dadd38ed5a7
- Query name: Lambda Permission Principal Is Wildcard
- Platform: CloudFormation
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
Lambda Permission Principal should not contain a wildcard.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Creates RDS Cluster
Resources:
s3Permission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt function.Arn
Action: lambda:InvokeFunction
Principal: '*'
SourceAccount: !Ref 'AWS::AccountId'
SourceArn: !GetAtt bucket.Arn
Positive test num. 2 - json file
{
"Resources": {
"s3Permission": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"SourceAccount": "AWS::AccountId",
"SourceArn": "bucket.Arn",
"FunctionName": "function.Arn",
"Action": "lambda:InvokeFunction",
"Principal": "*"
}
}
},
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Creates RDS Cluster"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: Creates RDS Cluster
Resources:
s3Permission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt function.Arn
Action: lambda:InvokeFunction
Principal: s3.amazonaws.com
SourceAccount: !Ref 'AWS::AccountId'
SourceArn: !GetAtt bucket.Arn
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Creates RDS Cluster",
"Resources": {
"s3Permission": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"FunctionName": "function.Arn",
"Action": "lambda:InvokeFunction",
"Principal": "s3.amazonaws.com",
"SourceAccount": "AWS::AccountId",
"SourceArn": "bucket.Arn"
}
}
}
}