Public Lambda via API Gateway
- Query id: 3ef8696c-e4ae-4872-92c7-520bb44dfe77
- Query name: Public Lambda via API Gateway
- Platform: Terraform
- Severity: Medium
- Category: Access Control
- CWE: Ongoing
- URL: Github
Description¶
Allowing to run lambda function using public API Gateway
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_lambda_permission" "apigw" {
statement_id = "AllowAPIGatewayInvoke"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.example.function_name
principal = "apigateway.amazonaws.com"
# The "/*/*" portion grants access from any method on any resource
# within the API Gateway REST API.
source_arn = "${aws_api_gateway_rest_api.example.execution_arn}/*/*"
}
resource "aws_lambda_function" "example" {
function_name = "ServerlessPerson"
handler = "MyHandler::handleRequest"
runtime = "java11"
role = aws_iam_role.lambda_exec.arn
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_lambda_permission" "apigw" {
statement_id = "AllowAPIGatewayInvoke"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.example.function_name
principal = "apigateway.amazonaws.com"
# The "/*/*" portion grants access from any method on any resource
# within the API Gateway REST API.
source_arn = "${aws_api_gateway_rest_api.example.execution_arn}/test/test"
}
resource "aws_lambda_function" "example" {
function_name = "ServerlessPerson"
handler = "MyHandler::handleRequest"
runtime = "java11"
role = aws_iam_role.lambda_exec.arn
}