For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-lambda-iam-invokefunction-misconfigured.md.
A documentation index is available at /llms.txt.
AWS Lambda permissions must be carefully defined so that the Action field in the IAM policy explicitly specifies allowed actions, such as "lambda:InvokeFunction". If the Action field is omitted or set too broadly, it could inadvertently grant unnecessary permissions, allowing unintended users or services to perform privileged operations on the Lambda function. This misconfiguration increases the risk of unauthorized invocation or modification of Lambda functions, potentially leading to security breaches or the execution of malicious code.
A secure Terraform configuration ensures the Action is correctly specified:
resource"aws_iam_policy""negative1policy"{name="negative1policy"path="/"description="negative1 Policy" # Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy= jsonencode({Version="2012-10-17"Statement=[{Action=["lambda:InvokeFunction",]Effect="Allow"Resource=["arn:aws:lambda:*:*:function:negative1","arn:aws:lambda:*:*:function:negative1:*"]},]})}
resource"aws_iam_policy""negative2policy"{name="negative2policy"path="/"description="negative2 Policy" # Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy= jsonencode({Version="2012-10-17"Statement=[{Action=["s3:*",]Effect="Allow"Resource=["*"]},]})}
resource"aws_lambda_function""negative3"{function_name="negative3"role="negative3_role"}resource"aws_iam_policy""negative3policy"{name="negative3policy"path="/"description="negative3 Policy" # Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy= jsonencode({Version="2012-10-17"Statement=[{Action=["s3:*",]Effect="Allow"Resource=[aws_lambda_function.negative3.arn,"${aws_lambda_function.negative3.arn}:*"]},]})}
Non-Compliant Code Examples
resource"aws_iam_policy""positive1policy"{name="positive1policy"path="/"description="Positive1 Policy" # Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy= jsonencode({Version="2012-10-17"Statement=[{Action=["lambda:InvokeFunction",]Effect="Allow"Resource=["arn:aws:lambda:*:*:function:positive1"]},]})}
resource"aws_iam_policy""positive2policy"{name="positive2policy"path="/"description="Positive2 Policy" # Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy= jsonencode({Version="2022-20-27"Statement=[{Action=["lambda:InvokeFunction",]Effect="Allow"Resource=["arn:aws:lambda:*:*:function:positive2*:*"]},]})}
resource"aws_iam_policy""positive3policy"{name="positive3policy"path="/"description="positive3 Policy" # Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy= jsonencode({Version="2022-20-27"Statement=[{Action=["lambda:InvokeFunction",]Effect="Allow"Resource=["arn:aws:lambda:*:*:function:*:*"]},]})}
1
2
rulesets:- Terraform / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
