---
title: Lambda function policies should not allow wildcard principals
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Lambda function policies should not
  allow wildcard principals
---

# Lambda function policies should not allow wildcard principals
 
## Description{% #description %}

Lambda function resource policies should not grant access to wildcard principals (`Principal: "*"`) without scoping conditions. An unconditional wildcard principal allows any AWS account or unauthenticated user to access the resource, creating a significant security risk. Wildcard principals scoped by policy conditions (such as `aws:SourceAccount`, `aws:SourceArn`, or `aws:PrincipalOrgID`) are not flagged, because the condition restricts effective access.

## Remediation{% #remediation %}

Remove or restrict resource-based policy statements that grant access to wildcard principals. Alternatively, add scoping conditions that restrict access. For guidance, refer to [Using resource-based policies for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html).