For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-public-lambda-via-api-gateway.md. A documentation index is available at /llms.txt.

Public Lambda function via API Gateway

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-public-lambda-via-api-gateway

Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Access Control

Learn More

Description

Lambda permissions that grant API Gateway or the public principal access with a SourceArn ending in /*/* allow any API stage and method to invoke the function. This enables broad or unintended public invocation and can result in unauthorized executions, data exposure, and increased resource consumption.

In AWS CloudFormation, check AWS::Lambda::Permission resources where Action is lambda:InvokeFunction or lambda:* and Principal is apigateway.amazonaws.com or *. The SourceArn must not equal /*/* or end with /*/*. Resources missing SourceArn or containing a trailing /*/* will be flagged. Set SourceArn to a specific execute-api ARN that includes the API ID, stage, and method to limit invocation scope.

Secure configuration example:

MyLambdaPermission:
  Type: AWS::Lambda::Permission
  Properties:
    FunctionName: !Ref MyFunction
    Action: "lambda:InvokeFunction"
    Principal: "apigateway.amazonaws.com"
    SourceArn: "arn:aws:execute-api:us-east-1:123456789012:api-id/prod/GET/myresource"

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: "BatchJobDefinition"
Resources:
  s3Permission3:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt function.Arn
      Action: lambda:InvokeFunction
      Principal: s3.amazonaws.com
      SourceAccount: !Ref 'AWS::AccountId'
      SourceArn: arn:aws:s3:eu-central-1:123456789012:bucketname

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "s3Permission": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "FunctionName": {
          "Fn::GetAtt": [
            "function",
            "Arn"
          ]
        },
        "Action": "lambda:InvokeFunction",
        "Principal": "s3.amazonaws.com",
        "SourceAccount": {
          "Ref": "AWS::AccountId"
        },
        "SourceArn": "arn:aws:s3:eu-central-1:123456789012:bucketname"
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: "BatchJobDefinition"
Resources:
  s3Permission3:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt function.Arn
      Action: lambda:InvokeFunction
      Principal: apigateway.amazonaws.com
      SourceAccount: !Ref 'AWS::AccountId'
      SourceArn: arn:aws:s3:eu-central-1:123456789012/*/*

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "s3Permission": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "FunctionName": {
          "Fn::GetAtt": [
            "function",
            "Arn"
          ]
        },
        "Action": "lambda:InvokeFunction",
        "Principal": "apigateway.amazonaws.com",
        "SourceAccount": {
          "Ref": "AWS::AccountId"
        },
        "SourceArn": "arn:aws:s3:eu-central-1:123456789012/*/*"
      }
    }
  }
}

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  permission:
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !GetAtt function.Arn
      Principal: apigateway.amazonaws.com
      SourceArn: !Sub arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${Api}/*/*