Lambda permission misconfigured
This product is not supported for your selected
Datadog site. (
).
Id: 9b83114b-b2a1-4534-990d-06da015e47aa
Cloud Provider: AWS
Platform: CloudFormation
Severity: Low
Category: Best Practices
Learn More
Description
Lambda permissions must explicitly allow only the invocation action to enforce least privilege and prevent unintended access to other function operations or configuration. In AWS CloudFormation, the Action property in AWS::Lambda::Permission resources must be set exactly to lambda:InvokeFunction. Resources missing Action or with any other value will be flagged as a security risk.
Secure CloudFormation example:
MyFunctionPermission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt MyFunction.Arn
Action: lambda:InvokeFunction
Principal: sns.amazonaws.com
Compliant Code Examples
Resources:
s3Permission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt function.Arn
Action: lambda:InvokeFunction
Principal: s3.amazonaws.com
SourceAccount: !Ref 'AWS::AccountId'
SourceArn: !GetAtt bucket.Arn
{
"Resources": {
"s3Permission": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"FunctionName": "function.Arn",
"Action": "lambda:InvokeFunction",
"Principal": "s3.amazonaws.com",
"SourceAccount": "AWS::AccountId",
"SourceArn": "bucket.Arn"
}
}
}
}
Non-Compliant Code Examples
{
"Resources": {
"s3Permission": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"SourceArn": "bucket.Arn",
"FunctionName": "function.Arn",
"Action": "lambda:GetFunction",
"Principal": "s3.amazonaws.com",
"SourceAccount": "AWS::AccountId"
}
}
}
}
Resources:
s3Permission:
Type: AWS::Lambda::Permission
Properties:
FunctionName: !GetAtt function.Arn
Action: lambda:GetFunction
Principal: s3.amazonaws.com
SourceAccount: !Ref 'AWS::AccountId'
SourceArn: !GetAtt bucket.Arn
