---
title: Lambda permission principal is wildcard
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Lambda permission principal is wildcard
---

# Lambda permission principal is wildcard

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `1d972c56-8ec2-48c1-a578-887adb09c57a`

**Cloud Provider:** AWS

**Platform:** Ansible

**Severity:** Medium

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/lambda_policy_module.html)

### Description{% #description %}

Lambda function permissions must not use wildcard principals (`*`). This effectively allows any AWS account or anonymous principal to invoke the function, increasing the risk of unauthorized invocations and data exposure.

In Ansible, check tasks using the `amazon.aws.lambda_policy` or `lambda_policy` modules and ensure the `principal` property does not contain `*` or other wildcard values. The `principal` must specify explicit principals such as an AWS account ARN, role ARN, or service principal (for example, `arn:aws:iam::123456789012:role/MyRole` or `events.amazonaws.com`). Tasks where `principal` includes `*` are flagged.

Secure example using an explicit service principal:

```yaml
- name: Allow EventBridge to invoke Lambda
  amazon.aws.lambda_policy:
    state: present
    function_name: my-function
    principal: events.amazonaws.com
    action: lambda:InvokeFunction
    source_arn: arn:aws:events:us-east-1:123456789012:rule/MyRule
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Lambda S3 event notification negative
  amazon.aws.lambda_policy:
    state: present
    function_name: functionName
    alias: Dev
    statement_id: lambda-s3-myBucket-create-data-log
    action: lambda:AddPermission
    principal: s3.amazonaws.com
    source_arn: arn:aws:s3:eu-central-1:123456789012:bucketName
    source_account: 123456789012
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: Lambda S3 event notification
  amazon.aws.lambda_policy:
    state: present
    function_name: functionName
    alias: Dev
    statement_id: lambda-s3-myBucket-create-data-log
    action: lambda:AddPermission
    principal: "*"
    source_arn: arn:aws:s3:eu-central-1:123456789012:bucketName
    source_account: 123456789012
```