Public Lambda function via API Gateway

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Public Lambda function via API Gateway

Metadata

Id: 57b12981-3816-4c31-b190-a1e614361dd2

Cloud Provider: AWS

Platform: CloudFormation

Severity: Medium

Category: Access Control

Learn More

Provider Reference

Description

Lambda permissions that grant API Gateway or the public principal access with a SourceArn ending in /*/* allow any API stage and method to invoke the function. This enables broad or unintended public invocation and can result in unauthorized executions, data exposure, and increased resource consumption.

In AWS CloudFormation, check AWS::Lambda::Permission resources where Action is lambda:InvokeFunction or lambda:* and Principal is apigateway.amazonaws.com or *. The SourceArn must not equal /*/* or end with /*/*. Resources missing SourceArn or containing a trailing /*/* will be flagged. Set SourceArn to a specific execute-api ARN that includes the API ID, stage, and method to limit invocation scope.

Secure configuration example:

MyLambdaPermission:
  Type: AWS::Lambda::Permission
  Properties:
    FunctionName: !Ref MyFunction
    Action: "lambda:InvokeFunction"
    Principal: "apigateway.amazonaws.com"
    SourceArn: "arn:aws:execute-api:us-east-1:123456789012:api-id/prod/GET/myresource"

Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: "BatchJobDefinition"
Resources:
  s3Permission3:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt function.Arn
      Action: lambda:InvokeFunction
      Principal: s3.amazonaws.com
      SourceAccount: !Ref 'AWS::AccountId'
      SourceArn: arn:aws:s3:eu-central-1:123456789012:bucketname

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "s3Permission": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "FunctionName": {
          "Fn::GetAtt": [
            "function",
            "Arn"
          ]
        },
        "Action": "lambda:InvokeFunction",
        "Principal": "s3.amazonaws.com",
        "SourceAccount": {
          "Ref": "AWS::AccountId"
        },
        "SourceArn": "arn:aws:s3:eu-central-1:123456789012:bucketname"
      }
    }
  }
}

Non-Compliant Code Examples

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "s3Permission": {
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "FunctionName": {
          "Fn::GetAtt": [
            "function",
            "Arn"
          ]
        },
        "Action": "lambda:InvokeFunction",
        "Principal": "apigateway.amazonaws.com",
        "SourceAccount": {
          "Ref": "AWS::AccountId"
        },
        "SourceArn": "arn:aws:s3:eu-central-1:123456789012/*/*"
      }
    }
  }
}

AWSTemplateFormatVersion: "2010-09-09"
Description: "BatchJobDefinition"
Resources:
  s3Permission3:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt function.Arn
      Action: lambda:InvokeFunction
      Principal: apigateway.amazonaws.com
      SourceAccount: !Ref 'AWS::AccountId'
      SourceArn: arn:aws:s3:eu-central-1:123456789012/*/*