For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-lambda-function-without-tags.md.
A documentation index is available at /llms.txt.
Lambda functions must be tagged so resources can be reliably identified, assigned ownership, and included in incident response, access reviews, and automated security workflows. The Tags property on AWS::Lambda::Function resources must be defined and contain tag objects (Key and Value pairs). Resources missing the Tags property will be flagged. Tags should be provided as an array of objects with Key and Value fields.
AWSTemplateFormatVersion:'2010-09-09'Parameters:ExistingSecurityGroups:Type:List<AWS::EC2::SecurityGroup::Id>ExistingVPC:Type:AWS::EC2::VPC::IdDescription:The VPC ID that includes the security groups in the ExistingSecurityGroupsparameter.InstanceType:Type:StringDefault:t2.microAllowedValues:- t2.micro- m1.smallMappings:AWSInstanceType2Arch:t2.micro:Arch:HVM64m1.small:Arch:HVM64AWSRegionArch2AMI:us-east-1:HVM64:ami-0ff8a91507f77f867HVMG2:ami-0a584ac55a7631c0cResources:SecurityGroup:Type:AWS::EC2::SecurityGroupProperties:GroupDescription:Allow HTTP traffic to the hostVpcId:Ref:ExistingVPCSecurityGroupIngress:- IpProtocol:tcpFromPort:'80'ToPort:'80'CidrIp:0.0.0.0/0SecurityGroupEgress:- IpProtocol:tcpFromPort:'80'ToPort:'80'CidrIp:0.0.0.0/0AllSecurityGroups:Type:Custom::SplitProperties:ServiceToken:!GetAtt AppendItemToListFunction.ArnList:Ref:ExistingSecurityGroupsAppendedItem:Ref:SecurityGroupAppendItemToListFunction:Type:AWS::Lambda::FunctionProperties:Handler:index.handlerRole:!GetAtt LambdaExecutionRole.ArnCode:ZipFile:!Sub |var response = require('cfn-response');exports.handler = function(event, context) {var responseData = {Value: event.ResourceProperties.List};responseData.Value.push(event.ResourceProperties.AppendedItem);response.send(event, context, response.SUCCESS, responseData);};Runtime:nodejs8.10MyEC2Instance:Type:AWS::EC2::InstanceProperties:ImageId:Fn::FindInMap:- AWSRegionArch2AMI- Ref:AWS::Region- Fn::FindInMap:- AWSInstanceType2Arch- Ref:InstanceType- ArchSecurityGroupIds:!GetAtt AllSecurityGroups.ValueInstanceType:Ref:InstanceTypeLambdaExecutionRole:Type:AWS::IAM::RoleProperties:AssumeRolePolicyDocument:Version:'2012-10-17'Statement:- Effect:AllowPrincipal:Service:- lambda.amazonaws.comAction:- sts:AssumeRolePath:"/"Policies:- PolicyName:rootPolicyDocument:Version:'2012-10-17'Statement:- Effect:AllowAction:- logs:*Resource:arn:aws:logs:*:*:*Outputs:AllSecurityGroups:Description:Security Groups that are associated with the EC2 instanceValue:Fn::Join:- ", "- Fn::GetAtt:- AllSecurityGroups- Value
{"AWSTemplateFormatVersion":"2010-09-09","Parameters":{"ExistingVPC":{"Type":"AWS::EC2::VPC::Id","Description":"The VPC ID that includes the security groups in the ExistingSecurityGroups parameter."},"InstanceType":{"Type":"String","Default":"t2.micro","AllowedValues":["t2.micro","m1.small"]},"ExistingSecurityGroups":{"Type":"List\u003cAWS::EC2::SecurityGroup::Id\u003e"}},"Mappings":{"AWSInstanceType2Arch":{"t2.micro":{"Arch":"HVM64"},"m1.small":{"Arch":"HVM64"}},"AWSRegionArch2AMI":{"us-east-1":{"HVM64":"ami-0ff8a91507f77f867","HVMG2":"ami-0a584ac55a7631c0c"}}},"Resources":{"SecurityGroup":{"Type":"AWS::EC2::SecurityGroup","Properties":{"GroupDescription":"Allow HTTP traffic to the host","VpcId":{"Ref":"ExistingVPC"},"SecurityGroupIngress":[{"FromPort":"80","ToPort":"80","CidrIp":"0.0.0.0/0","IpProtocol":"tcp"}],"SecurityGroupEgress":[{"IpProtocol":"tcp","FromPort":"80","ToPort":"80","CidrIp":"0.0.0.0/0"}]}},"AllSecurityGroups":{"Type":"Custom::Split","Properties":{"ServiceToken":"AppendItemToListFunction.Arn","List":{"Ref":"ExistingSecurityGroups"},"AppendedItem":{"Ref":"SecurityGroup"}}},"AppendItemToListFunction":{"Properties":{"Handler":"index.handler","Role":"LambdaExecutionRole.Arn","Code":{"ZipFile":"var response = require('cfn-response');\nexports.handler = function(event, context) {\n var responseData = {Value: event.ResourceProperties.List};\n responseData.Value.push(event.ResourceProperties.AppendedItem);\n response.send(event, context, response.SUCCESS, responseData);\n};\n"},"Runtime":"nodejs8.10"},"Type":"AWS::Lambda::Function"},"MyEC2Instance":{"Type":"AWS::EC2::Instance","Properties":{"ImageId":{"Fn::FindInMap":["AWSRegionArch2AMI",{"Ref":"AWS::Region"},{"Fn::FindInMap":["AWSInstanceType2Arch",{"Ref":"InstanceType"},"Arch"]}]},"SecurityGroupIds":"AllSecurityGroups.Value","InstanceType":{"Ref":"InstanceType"}}},"LambdaExecutionRole":{"Type":"AWS::IAM::Role","Properties":{"Policies":[{"PolicyName":"root","PolicyDocument":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["logs:*"],"Resource":"arn:aws:logs:*:*:*"}]}}],"AssumeRolePolicyDocument":{"Statement":[{"Action":["sts:AssumeRole"],"Effect":"Allow","Principal":{"Service":["lambda.amazonaws.com"]}}],"Version":"2012-10-17"},"Path":"/"}}},"Outputs":{"AllSecurityGroups":{"Description":"Security Groups that are associated with the EC2 instance","Value":{"Fn::Join":[", ",{"Fn::GetAtt":["AllSecurityGroups","Value"]}]}}}}
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
