Public Lambda via API Gateway
- Query id: 57b12981-3816-4c31-b190-a1e614361dd2
- Query name: Public Lambda via API Gateway
- Platform: CloudFormation
- Severity: Medium
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
Allowing to run lambda function using public API Gateway
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "BatchJobDefinition"
Resources:
s3Permission3:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt function.Arn
Action: lambda:InvokeFunction
Principal: apigateway.amazonaws.com
SourceAccount: !Ref 'AWS::AccountId'
SourceArn: arn:aws:s3:eu-central-1:123456789012/*/*
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"s3Permission": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"FunctionName": {
"Fn::GetAtt": [
"function",
"Arn"
]
},
"Action": "lambda:InvokeFunction",
"Principal": "apigateway.amazonaws.com",
"SourceAccount": {
"Ref": "AWS::AccountId"
},
"SourceArn": "arn:aws:s3:eu-central-1:123456789012/*/*"
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: "BatchJobDefinition"
Resources:
s3Permission3:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt function.Arn
Action: lambda:InvokeFunction
Principal: s3.amazonaws.com
SourceAccount: !Ref 'AWS::AccountId'
SourceArn: arn:aws:s3:eu-central-1:123456789012:bucketname
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"s3Permission": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"FunctionName": {
"Fn::GetAtt": [
"function",
"Arn"
]
},
"Action": "lambda:InvokeFunction",
"Principal": "s3.amazonaws.com",
"SourceAccount": {
"Ref": "AWS::AccountId"
},
"SourceArn": "arn:aws:s3:eu-central-1:123456789012:bucketname"
}
}
}
}