Permissions delegated to AWS services for AWS Lambda functions are not limited by SourceArn or SourceAccount

Description

This policy ensures that AWS Lambda function permissions delegated to AWS services are restricted by `SourceArn` or `SourceAccount`. This helps prevent unauthorized access and limits the scope of permissions granted to Lambda functions.

Code Example

resource "aws_lambda_permission" "with_sns" {
  statement_id  = "AllowExecutionFromSNS"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.example.function_name
  principal     = "sns.amazonaws.com"
+  source_arn    = aws_sns_topic.example.arn
}

Remediation

Terraform

Resource: aws_lambda_permission
Arguments: principal

To fix this issue, you need to ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount. This adds an additional layer of security by explicitly stating where the permissions are coming from.

Rule Details

Field	Value
ID	IAC-0411
Severity	HIGH
IaC Type	Cloudformation
Frameworks	Terraform,
Checkov ID	CKV_AWS_364

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Permissions delegated to AWS services for AWS Lambda functions are not limited by SourceArn or SourceAccount

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Permissions delegated to AWS services for AWS Lambda functions are not limited by SourceArn or SourceAccount ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

Permissions delegated to AWS services for AWS Lambda functions are not limited by SourceArn or SourceAccount

Description

Code Example

Remediation

Rule Details

References