Lambda Permission Principal Is Wildcard

  • Query id: e08ed7eb-f3ef-494d-9d22-2e3db756a347
  • Query name: Lambda Permission Principal Is Wildcard
  • Platform: Terraform
  • Severity: Medium
  • Category: Access Control
  • URL: Github

Description

Lambda Permission Principal should not contain a wildcard.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_lambda_permission" "positive1" {
  statement_id  = "AllowExecutionFromCloudWatch"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.test_lambda.function_name
  principal     = "*"
  source_arn    = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily"
  qualifier     = aws_lambda_alias.test_alias.name
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_lambda_permission" "negative1" {
  statement_id  = "AllowExecutionFromCloudWatch"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.test_lambda.function_name
  principal     = "events.amazonaws.com"
  source_arn    = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily"
  qualifier     = aws_lambda_alias.test_alias.name
}