Group with privilege escalation by actions 'lambda:UpdateFunctionCode'
This product is not supported for your selected
Datadog site. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Id: 571254d8-aa6a-432e-9725-535d3ef04d69
Cloud Provider: AWS
Platform: Terraform
Severity: Medium
Category: Access Control
Learn More
Description
Granting the lambda:UpdateFunctionCode permission with the Resource attribute set to "*" in an IAM group policy enables users in that group to update the code of any Lambda function within the AWS account. This broad permission could allow a user to inject malicious code into critical Lambda functions or leverage those functions for privilege escalation, compromising the overall security of the environment. To mitigate this risk, permissions should be limited to only trusted users and to specific, necessary Lambda functions using fine-grained resource ARNs rather than wildcard resources.
Compliant Code Examples
resource "aws_iam_user" "cosmic2" {
name = "cosmic2"
}
resource "aws_iam_user_policy" "inline_policy_run_instances2" {
name = "inline_policy_run_instances"
user = aws_iam_user.cosmic2.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"ec2:Describe*",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
Non-Compliant Code Examples
resource "aws_iam_group" "cosmic" {
name = "cosmic"
}
resource "aws_iam_group_policy" "test_inline_policy" {
name = "test_inline_policy"
group = aws_iam_group.cosmic.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = [
"lambda:UpdateFunctionCode",
]
Effect = "Allow"
Resource = "*"
},
]
})
}
