Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFE] Warn when AWS::Lambda::Permission.SouceAccount is missing for S3 SourceArns #2155

Closed
trav-c opened this issue Oct 25, 2021 · 1 comment · Fixed by #3523
Closed

[RFE] Warn when AWS::Lambda::Permission.SouceAccount is missing for S3 SourceArns #2155

trav-c opened this issue Oct 25, 2021 · 1 comment · Fixed by #3523
Labels
enhancement New feature or request new rule New rule

Comments

@trav-c
Copy link
Contributor

trav-c commented Oct 25, 2021

cfn-lint version: (cfn-lint --version)

$ cfn-lint --version
cfn-lint 0.54.3

Feature Request - Warn when AWS::Lambda::Permission.SouceAccount is missing
When setting a Lamba permission using the AWS::Lambda::Permission resource, if (and I believe only if) the SourceArn is an S3 Arn, it is almost always appropriate to specify a SourceAccount in addition to the SourceArn, since S3 Arns do not specify an account id.

I'm not sure how feasible it is, given that you would presumably need to be able to at least partially resolve whatever value / intrinsic are specified for SourceArn, but it would be useful if a warning could be raised when the SourceArn will resolve to an S3 Arn, but SourceAccount is missing.

If a SourceAccount is missing there are potential security issues with the deployed resources, especially if wildcards have been used in the SourceArn, and Security Hub will flag the permission as a Critical security issue.

The CloudFormation Docs say the following about SourceAccount:

For Amazon S3, the ID of the account that owns the resource. Use this together with SourceArn to ensure that the resource is owned by the specified account. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account.
@kddejong kddejong added enhancement New feature or request new rule New rule labels Oct 27, 2021
@kddejong
Copy link
Contributor

At least according to the GUI the only option asking for an Account is when using S3.

From a template this is valid and the account is applied to the policy:

Permission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt Function.Arn
      Action: lambda:InvokeFunction
      Principal: events.amazonaws.com
      SourceArn: !GetAtt Rule.Arn
      SourceAccount: !Ref AWS::AccountId

This is also valid but should have the account specified since it isn't in the s3 arn.

Permission:
    Type: AWS::Lambda::Permission
    Properties:
      FunctionName: !GetAtt Function.Arn
      Action: lambda:InvokeFunction
      Principal: events.amazonaws.com
      SourceArn: !GetAtt Bucket.Arn

Warning is the right level. My thoughts are that any ARN that doesn't have the account in it should have the source account added.

So maybe If SourceArn exists and has an ARN that doesn't include an account ID then warn to add the SourceAccount

@kddejong kddejong mentioned this issue Jul 19, 2024
Merged
@impliedfeline impliedfeline mentioned this issue Jul 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request new rule New rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Create rule W3663 to validate lmbd permission account kddejong/cfn-python-lint
2 participants
@trav-c @kddejong