Lambda permission misconfigured
Ce produit n'est pas pris en charge par le
site Datadog que vous avez sélectionné. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Id: 3ddf3417-424d-420d-8275-0724dc426520
Cloud Provider: AWS
Platform: Ansible
Severity: Low
Category: Best Practices
Learn More
Description
Lambda permission statements must set the action to lambda:InvokeFunction so callers are limited to invoking the function and cannot receive broader or unintended Lambda privileges.
Check Ansible tasks that use the amazon.aws.lambda_policy or lambda_policy modules. The action property must be defined and set to the exact string lambda:InvokeFunction. Tasks missing the action property or using any other value (for example lambda:*, a different Lambda action, or an empty value) are flagged because they can over-privilege callers or result in misconfigured access.
Secure example with the action explicitly set:
- name: Allow S3 to invoke my Lambda
amazon.aws.lambda_policy:
name: my_lambda_policy
state: present
principal: s3.amazonaws.com
action: lambda:InvokeFunction
function_name: my-function
Compliant Code Examples
- name: Lambda S3 notification negative
amazon.aws.lambda_policy:
state: present
function_name: functionName
alias: Dev
statement_id: lambda-s3-myBucket-create-data-log
action: lambda:InvokeFunction
principal: s3.amazonaws.com
source_arn: arn:aws:s3:eu-central-1:123456789012:bucketName
source_account: 123456789012
Non-Compliant Code Examples
- name: Lambda S3 notification positive
amazon.aws.lambda_policy:
state: present
function_name: functionName
alias: Dev
statement_id: lambda-s3-myBucket-create-data-log
action: lambda:CreateFunction
principal: s3.amazonaws.com
source_arn: arn:aws:s3:eu-central-1:123456789012:bucketName
source_account: 123456789012
