Detections
Analytics

Ensure AWS Lambda function permissions have a source ARN specified

MEDIUM

Description

AWS Lambda Permissions give an AWS service or account permission to use a function. Not configuring the source ARN for the lambda function permissions could allow unintended access. It is considered best practice to specify the source ARN in cloud services.

Remediation

In AWS Console -

  1. Sign in to AWS Console and go to the Functions page on the Lambda console.
  2. Choose a function to update.
  3. Select Configuration and then select Permissions.
  4. Scroll down to Resource-based policy and then select View policy document and Set the Source ARN.
  5. Select Save.

In Terraform -

  1. In the aws_lambda_permission resource, set source_arn field accordingly.

References:
https://docs.aws.amazon.com/lambda/latest/dg/security-iam.html
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission

Policy Details

Rule Reference ID: AC_AWS_0619
CSP: AWS
Remediation Available: Yes
Domain: Identity and Access Management
Resource: aws_lambda_permission
Resource Category: Serverless
Resource Type: Lambda

Frameworks