Lambda permission misconfigured
Ce produit n'est pas pris en charge par le
site Datadog que vous avez sélectionné. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Id: 9b83114b-b2a1-4534-990d-06da015e47aa
Cloud Provider: AWS
Platform: CloudFormation
Severity: Low
Category: Best Practices
Learn More
Description
Lambda permissions must explicitly allow only the invocation action to enforce least privilege and prevent unintended access to other function operations or configuration. In AWS CloudFormation, the Action property in AWS::Lambda::Permission resources must be set exactly to lambda:InvokeFunction. Resources missing Action or with any other value will be flagged as a security risk.
Secure CloudFormation example:
MyFunctionPermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt MyFunction.Arn
Action: lambda:InvokeFunction
Principal: sns.amazonaws.com
Compliant Code Examples
Resources:
s3Permission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt function.Arn
Action: lambda:InvokeFunction
Principal: s3.amazonaws.com
SourceAccount: !Ref 'AWS::AccountId'
SourceArn: !GetAtt bucket.Arn
{
"Resources": {
"s3Permission": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"FunctionName": "function.Arn",
"Action": "lambda:InvokeFunction",
"Principal": "s3.amazonaws.com",
"SourceAccount": "AWS::AccountId",
"SourceArn": "bucket.Arn"
}
}
}
}
Non-Compliant Code Examples
{
"Resources": {
"s3Permission": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"SourceArn": "bucket.Arn",
"FunctionName": "function.Arn",
"Action": "lambda:GetFunction",
"Principal": "s3.amazonaws.com",
"SourceAccount": "AWS::AccountId"
}
}
}
}
Resources:
s3Permission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt function.Arn
Action: lambda:GetFunction
Principal: s3.amazonaws.com
SourceAccount: !Ref 'AWS::AccountId'
SourceArn: !GetAtt bucket.Arn
