---
title: Public Lambda via API Gateway
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Public Lambda via API Gateway
---

# Public Lambda via API Gateway

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `5e92d816-2177-4083-85b4-f61b4f7176d9`

**Cloud Provider:** AWS

**Platform:** Ansible

**Severity:** Medium

**Category:** Access Control

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/amazon/aws/lambda_policy_module.html)

### Description{% #description %}

Allowing API Gateway to invoke a Lambda using a wildcard source ARN like `/*/*` grants any API, stage, or method the ability to invoke the function. This can result in unintended public or cross-account invocation and increase the risk of unauthorized execution.

In Ansible tasks using the `amazon.aws.lambda_policy` or `lambda_policy` modules, the `source_arn` property must not be set to `/*/*`. Instead, specify the full execute-api ARN (for example `arn:aws:execute-api:<region>:<account-id>:<api-id>/<stage>/<HTTP-VERB>/<resource>`).

This rule flags policies where `action` is `lambda:InvokeFunction` or `lambda:*` and `principal` is `apigateway.amazonaws.com` or `*` while `source_arn` matches `/*/*`. Avoid using a wildcard principal and prefer the explicit `apigateway.amazonaws.com` principal with a narrowed `source_arn`.

Secure configuration example:

```yaml
- name: Allow specific API Gateway to invoke Lambda
  amazon.aws.lambda_policy:
    function_name: my-function
    action: lambda:InvokeFunction
    principal: apigateway.amazonaws.com
    source_arn: arn:aws:execute-api:us-east-1:123456789012:abcd1234/prod/POST/myresource
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Lambda S3 event notification
  lambda_policy:
    state: "{{ state | default('present') }}"
    function_name: functionName
    alias: Dev
    statement_id: lambda-s3-myBucket-create-data-log
    action: lambda:InvokeFunction
    principal: s3.amazonaws.com
    source_arn: arn:aws:s3:eu-central-1:123456789012:bucketname
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: Lambda S3 event notification
  lambda_policy:
    state: "{{ state | default('present') }}"
    function_name: functionName
    alias: Dev
    statement_id: lambda-s3-myBucket-create-data-log
    action: lambda:InvokeFunction
    principal: apigateway.amazonaws.com
    source_arn: arn:aws:s3:eu-central-1:123456789012/*/*
```