For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-lambda-permission-principal-is-wildcard.md. A documentation index is available at /llms.txt.

Lambda permission principal is a wildcard

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-lambda-permission-principal-is-wildcard

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Access Control

Learn More

Description

Granting a wildcard principal (*) in a Lambda permission makes the function publicly invokable, allowing any AWS account or unauthenticated caller to invoke it and potentially leading to unauthorized invocation, data exposure, or abuse. The AWS::Lambda::Permission resource’s Principal property must specify an explicit principal, such as a service principal (for example, sns.amazonaws.com), an AWS account ARN, or a specific IAM principal. It must not be * or contain wildcard values. This rule flags AWS::Lambda::Permission resources where Properties.Principal contains *. To fix, set Principal to the intended principal and, when applicable, add SourceArn or other conditions to restrict which resources can invoke the function.

Secure configuration example:

MyLambdaPermission:
  Type: AWS::Lambda::Permission
  Properties:
    FunctionName: !GetAtt MyFunction.Arn
    Action: lambda:InvokeFunction
    Principal: sns.amazonaws.com
    SourceArn: arn:aws:sns:us-east-1:123456789012:MyTopic

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: Creates RDS Cluster
Resources:
  s3Permission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt function.Arn
      Action: lambda:InvokeFunction
      Principal: s3.amazonaws.com
      SourceAccount: !Ref 'AWS::AccountId'
      SourceArn: !GetAtt bucket.Arn

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Creates RDS Cluster",
  "Resources": {
    "s3Permission": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "FunctionName": "function.Arn",
        "Action": "lambda:InvokeFunction",
        "Principal": "s3.amazonaws.com",
        "SourceAccount": "AWS::AccountId",
        "SourceArn": "bucket.Arn"
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: Creates RDS Cluster
Resources:
  s3Permission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt function.Arn
      Action: lambda:InvokeFunction
      Principal: '*'
      SourceAccount: !Ref 'AWS::AccountId'
      SourceArn: !GetAtt bucket.Arn

{
  "Resources": {
    "s3Permission": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "SourceAccount": "AWS::AccountId",
        "SourceArn": "bucket.Arn",
        "FunctionName": "function.Arn",
        "Action": "lambda:InvokeFunction",
        "Principal": "*"
      }
    }
  },
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Creates RDS Cluster"
}