Lambda permission misconfigured

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Lambda permission misconfigured

Metadata

Id: 3ddf3417-424d-420d-8275-0724dc426520

Cloud Provider: AWS

Platform: Ansible

Severity: Low

Category: Best Practices

Learn More

Provider Reference

Description

Lambda permission statements must set the action to lambda:InvokeFunction so callers are limited to invoking the function and cannot receive broader or unintended Lambda privileges.

Check Ansible tasks that use the amazon.aws.lambda_policy or lambda_policy modules. The action property must be defined and set to the exact string lambda:InvokeFunction. Tasks missing the action property or using any other value (for example lambda:*, a different Lambda action, or an empty value) are flagged because they can over-privilege callers or result in misconfigured access.

Secure example with the action explicitly set:

- name: Allow S3 to invoke my Lambda
  amazon.aws.lambda_policy:
    name: my_lambda_policy
    state: present
    principal: s3.amazonaws.com
    action: lambda:InvokeFunction
    function_name: my-function

Compliant Code Examples

- name: Lambda S3 notification negative
  amazon.aws.lambda_policy:
    state: present
    function_name: functionName
    alias: Dev
    statement_id: lambda-s3-myBucket-create-data-log
    action: lambda:InvokeFunction
    principal: s3.amazonaws.com
    source_arn: arn:aws:s3:eu-central-1:123456789012:bucketName
    source_account: 123456789012

Non-Compliant Code Examples

- name: Lambda S3 notification positive
  amazon.aws.lambda_policy:
    state: present
    function_name: functionName
    alias: Dev
    statement_id: lambda-s3-myBucket-create-data-log
    action: lambda:CreateFunction
    principal: s3.amazonaws.com
    source_arn: arn:aws:s3:eu-central-1:123456789012:bucketName
    source_account: 123456789012