CRITICAL
Source
Trivy
ID
AVD-AWS-0067

Ensure that lambda function permission has a source arn specified

When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.

Without this, any resource from principal will be granted permission – even if that resource is from another account.

For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API

Impact

Not providing the source ARN allows any resource from principal, even from other accounts

Follow the appropriate remediation steps below to resolve the issue.

Always provide a source arn for Lambda permissions

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  GoodExample:
    Type: AWS::Lambda::Function
    Properties:
      Handler: index.handler
      Role: arn:aws:iam::123456789012:role/lambda-role
      Code:
        S3Bucket: my-bucket
        S3Key: function.zip
      Runtime: nodejs12.x
      Timeout: 5
      TracingConfig:
        Mode: Active
      VpcConfig:
        SecurityGroupIds:
          - sg-085912345678492fb
        SubnetIds:
          - subnet-071f712345678e7c8
          - subnet-07fd123456788a036
  GoodPermission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !Ref BadExample
      Action: lambda:InvokeFunction
      Principal: s3.amazonaws.com
      SourceArn: "lambda.amazonaws.com"

Always provide a source arn for Lambda permissions

1
2
3
4
5
6
7
resource "aws_lambda_permission" "good_example" {
  statement_id = "AllowExecutionFromSNS"
  action = "lambda:InvokeFunction"
  function_name = aws_lambda_function.func.function_name
  principal = "sns.amazonaws.com"
  source_arn = aws_sns_topic.default.arn
}