Lambda With Vulnerable Policy
- Query id: ad9dabc7-7839-4bae-a957-aa9120013f39
- Query name: Lambda With Vulnerable Policy
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- URL: Github
Description¶
The attribute 'action' should not have wildcard
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
provider "aws" {
region = "us-east-1"
}
resource "aws_lambda_function" "my-lambda" {
filename = "~/Downloads/lambda.json.zip"
function_name = "my-lambda"
role = aws_iam_role.lambda-role.arn
handler = "lambda_function.lambda_handler"
runtime = "python3.8"
}
resource "aws_iam_role" "lambda-role" {
name = "lambda-role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_lambda_permission" "all" {
statement_id = "AllowAllResources"
action = "lambda:*"
function_name = aws_lambda_function.my-lambda.function_name
principal = "s3.amazonaws.com"
source_arn = "arn:aws:s3:::delete-me-us-east-1-permissions-tests"
source_account = "111111111111"
qualifier = aws_lambda_alias.my-lambda-alias.name
}
resource "aws_lambda_alias" "my-lambda-alias" {
name = "v1"
description = "a sample description"
function_name = aws_lambda_function.my-lambda.function_name
function_version = "$LATEST"
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_lambda_permission" "allow_cloudwatch" {
statement_id = "AllowExecutionFromCloudWatch"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.test_lambda.function_name
principal = "events.amazonaws.com"
source_arn = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily"
qualifier = aws_lambda_alias.test_alias.name
}
resource "aws_lambda_alias" "test_alias" {
name = "testalias"
description = "a sample description"
function_name = aws_lambda_function.test_lambda.function_name
function_version = "$LATEST"
}
resource "aws_lambda_function" "test_lambda" {
filename = "lambdatest.zip"
function_name = "lambda_function_name"
role = aws_iam_role.iam_for_lambda.arn
handler = "exports.handler"
runtime = "nodejs12.x"
}
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal = {
Service = "lambda.amazonaws.com"
}
},
]
})
}