Lambda Permission Misconfigured

Query id: 75ec6890-83af-4bf1-9f16-e83726df0bd0
Query name: Lambda Permission Misconfigured
Platform: Terraform
Severity: Low
Category: Best Practices
CWE: 710
URL: Github

Description¶

Lambda permission may be misconfigured if the action field is not filled in by 'lambda:InvokeFunction'
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - tf file

resource "aws_lambda_permission" "positive1" {
  action        = "lambda:DeleteFunction"
  function_name = aws_lambda_function.logging.function_name
  principal     = "logs.eu-west-1.amazonaws.com"
  source_arn    = "${aws_cloudwatch_log_group.default.arn}:*"
}

Code samples without security vulnerabilities¶

Negative test num. 1 - tf file

resource "aws_lambda_permission" "negative1" {
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.logging.function_name
  principal     = "logs.eu-west-1.amazonaws.com"
  source_arn    = "${aws_cloudwatch_log_group.default.arn}:*"
}