Lambda IAM InvokeFunction Misconfigured

  • Query id: 0ca1017d-3b80-423e-bb9c-6cd5898d34bd
  • Query name: Lambda IAM InvokeFunction Misconfigured
  • Platform: Terraform
  • Severity: Low
  • Category: Best Practices
  • CWE: Ongoing
  • URL: Github

Description

Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "aws_iam_policy" "positive1policy" {
  name        = "positive1policy"
  path        = "/"
  description = "Positive1 Policy"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "lambda:InvokeFunction",
        ]
        Effect   = "Allow"
        Resource = [
            "arn:aws:lambda:*:*:function:positive1"
        ]
      },
    ]
  })
}
Positive test num. 2 - tf file
resource "aws_iam_policy" "positive2policy" {
  name        = "positive2policy"
  path        = "/"
  description = "Positive2 Policy"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2022-20-27"
    Statement = [
      {
        Action = [
          "lambda:InvokeFunction",
        ]
        Effect   = "Allow"
        Resource = [
            "arn:aws:lambda:*:*:function:positive2*:*"
        ]
      },
    ]
  })
}
Positive test num. 3 - tf file
resource "aws_iam_policy" "positive3policy" {
  name        = "positive3policy"
  path        = "/"
  description = "positive3 Policy"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2022-20-27"
    Statement = [
      {
        Action = [
          "lambda:InvokeFunction",
        ]
        Effect   = "Allow"
        Resource = [
            "arn:aws:lambda:*:*:function:*:*"
        ]
      },
    ]
  })
}

Positive test num. 4 - tf file
resource "aws_iam_policy" "positive4policy" {
  name        = "positive4policy"
  path        = "/"
  description = "positive4 Policy"
  policy      = data.aws_iam_policy_document.datapositive4policy.json
}
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
data "aws_iam_policy_document" "datapositive4policy" {
  statement {
    effect = "Allow"
    actions = [
      "lambda:InvokeFunction"
    ]

    resources = [
      "arn:aws:lambda:*:*:function:*:*"
    ]
  }
}
Positive test num. 5 - tf file
resource "aws_iam_policy" "positive5policy" {
  name        = "positive5policy"
  path        = "/"
  description = "positive5 Policy"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2022-20-27"
    Statement = [
      {
        Action = [
          "*",
        ]
        Effect   = "Allow"
        Resource = [
            "arn:aws:lambda:*:*:function:*:*"
        ]
      },
    ]
  })
}
Positive test num. 6 - tf file
resource "aws_iam_policy" "positive6policy" {
  name        = "positive6policy"
  path        = "/"
  description = "positive6 Policy"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2022-20-27"
    Statement = [
      {
        Action = [
          "lambda:*",
        ]
        Effect   = "Allow"
        Resource = [
            "arn:aws:lambda:*:*:function:*:*"
        ]
      },
    ]
  })
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "aws_iam_policy" "negative1policy" {
  name        = "negative1policy"
  path        = "/"
  description = "negative1 Policy"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "lambda:InvokeFunction",
        ]
        Effect   = "Allow"
        Resource = [
            "arn:aws:lambda:*:*:function:negative1",
            "arn:aws:lambda:*:*:function:negative1:*"
        ]
      },
    ]
  })
}
Negative test num. 2 - tf file
resource "aws_iam_policy" "negative2policy" {
  name        = "negative2policy"
  path        = "/"
  description = "negative2 Policy"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "s3:*",
        ]
        Effect   = "Allow"
        Resource = ["*"]
      },
    ]
  })
}
Negative test num. 3 - tf file
resource "aws_lambda_function" "negative3" {
  function_name = "negative3"
  role          = "negative3_role"
}

resource "aws_iam_policy" "negative3policy" {
  name        = "negative3policy"
  path        = "/"
  description = "negative3 Policy"

  # Terraform's "jsonencode" function converts a
  # Terraform expression result to valid JSON syntax.
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = [
          "s3:*",
        ]
        Effect   = "Allow"
        Resource = [
            aws_lambda_function.negative3.arn,
            "${aws_lambda_function.negative3.arn}:*"
        ]
      },
    ]
  })
}