Lambda permission principal contains a wildcard

ID

aws_lambda_principal_wildcard

Severity

low

Vendor

AWS

Resource

IAM

Tags

reachable

Description

Lambda permission principal contains a wildcard. Unexpected principals could access to the lambda function.

To fix it you must configure principal property without wildcard.

Learn more about this topic at AWS lambda permissions.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Lambda S3 event notification
      amazon.aws.lambda_policy:
        state: present
        function_name: functionName
        alias: Dev
        statement_id: lambda-s3-myBucket-create-data-log
        action: lambda:InvokeFunction
        principal: "*"
        source_arn: arn:aws:s3:eu-central-1:123456789012:bucketName
        source_account: 123456789012
      register: lambda_policy_action

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: Lambda S3 event notification
      amazon.aws.lambda_policy:
        state: present
        function_name: functionName
        alias: Dev
        statement_id: lambda-s3-myBucket-create-data-log
        action: lambda:InvokeFunction
        principal: s3.amazonaws.com
        source_arn: arn:aws:s3:eu-central-1:123456789012:bucketName
        source_account: 123456789012
      register: lambda_policy_action