terraform.aws.security.aws-lambda-permission-unrestricted-source-arn.aws-lambda-permission-unrestricted-source-arn
semgrep
Author
unknown
Download Count*
License
The AWS Lambda permission has an AWS service principal but does not specify a source ARN. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function. Set the source_arn value to the ARN of the AWS resource that invokes the function, eg. an S3 bucket, CloudWatch Events Rule, API Gateway, or SNS topic.
Run Locally
Run in CI
Defintion
rules:
- id: aws-lambda-permission-unrestricted-source-arn
patterns:
- pattern: |
resource "aws_lambda_permission" $ANYTHING {
...
principal = "$PRINCIPAL"
...
}
- pattern-not: |
resource "aws_lambda_permission" $ANYTHING {
...
source_arn = ...
...
}
- metavariable-regex:
metavariable: $PRINCIPAL
regex: .*[.]amazonaws[.]com$
message: The AWS Lambda permission has an AWS service principal but does not
specify a source ARN. If you grant permission to a service principal
without specifying the source, other accounts could potentially configure
resources in their account to invoke your Lambda function. Set the
source_arn value to the ARN of the AWS resource that invokes the function,
eg. an S3 bucket, CloudWatch Events Rule, API Gateway, or SNS topic.
languages:
- hcl
severity: ERROR
metadata:
category: security
technology:
- terraform
- aws
owasp:
- A05:2021 - Security Misconfiguration
cwe:
- "CWE-732: Incorrect Permission Assignment for Critical Resource"
references:
- https://cwe.mitre.org/data/definitions/732.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
Examples
aws-lambda-permission-unrestricted-source-arn.tf
# ruleid: aws-lambda-permission-unrestricted-source-arn
resource "aws_lambda_permission" "fail_1" {
statement_id = "AllowExecutionFromSNS"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.func.function_name
principal = "sns.amazonaws.com"
}
# ruleid: aws-lambda-permission-unrestricted-source-arn
resource "aws_lambda_permission" "fail_2" {
statement_id = "AllowExecutionFromCloudWatch"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.func.function_name
principal = "events.amazonaws.com"
}
# ruleid: aws-lambda-permission-unrestricted-source-arn
resource "aws_lambda_permission" "fail_3" {
statement_id = "AllowMyDemoAPIInvoke"
action = "lambda:InvokeFunction"
function_name = "MyDemoFunction"
principal = "apigateway.amazonaws.com"
}
# ok: aws-lambda-permission-unrestricted-source-arn
resource "aws_lambda_permission" "pass_1" {
statement_id = "AllowExecutionFromSNS"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.func.function_name
principal = "sns.amazonaws.com"
source_arn = aws_sns_topic.default.arn
}
# ok: aws-lambda-permission-unrestricted-source-arn
resource "aws_lambda_permission" "pass_2" {
statement_id = "AllowExecutionFromCloudWatch"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.func.function_name
principal = "events.amazonaws.com"
source_arn = "arn:aws:events:eu-west-1:111122223333:rule/RunDaily"
}
# ok: aws-lambda-permission-unrestricted-source-arn
resource "aws_lambda_permission" "pass_3" {
statement_id = "AllowMyDemoAPIInvoke"
action = "lambda:InvokeFunction"
function_name = "MyDemoFunction"
principal = "apigateway.amazonaws.com"
# The /* part allows invocation from any stage, method and resource path
# within API Gateway.
source_arn = "${aws_api_gateway_rest_api.MyDemoAPI.execution_arn}/*"
}
# ok: aws-lambda-permission-unrestricted-source-arn
resource "aws_lambda_permission" "pass_4" {
statement_id = "AllowCrossAccountExecution"
action = "lambda:InvokeFunctionUrl"
function_name = aws_lambda_function.func.function_name
principal = "arn:aws:iam::444455556666:role/example"
source_account = "444455556666"
function_url_auth_type = "AWS_IAM"
}
Short Link: https://sg.run/kOP7