Lambda permissions with a service principal should apply to only one resource and AWS account¶
Description¶
Lambda permissions with a service principal should contain a source ARN condition to restrict access to a single resource. Lambda permissions for S3 and SES should also contain a source account condition, because S3 and SES ARNs do not contain an AWS account ID.
Terraform¶
Ensure that lambda permissions with a service principal have a source_arn
property. If the lambda permission is for S3 or SES, also ensure that it has a source_account
property.
Example Configuration¶
resource "aws_lambda_permission" "sns_topic_permission" {
function_name = aws_lambda_function.my_function.function_name
action = "lambda:InvokeFunction"
principal = "sns.amazonaws.com"
source_arn = aws_sns_topic.my_topic.arn
}
resource "aws_lambda_permission" "s3_bucket_permission" {
function_name = aws_lambda_function.my_function.function_name
action = "lambda:InvokeFunction"
principal = "s3.amazonaws.com"
source_arn = aws_s3_bucket.my_bucket.arn
source_account = data.aws_caller_identity.current.account_id
}