Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Security implications of SourceArn (as in AWS::Lambda::Permission)

0

These two doc pages:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html

https://docs.aws.amazon.com/lambda/latest/dg/API_AddPermission.html

have a note:
bq. If you grant permission to a service principal without specifying [SourceArn], other accounts could potentially configure resources in their account to invoke your Lambda function.
I'm unclear on what, exactly, that means.

Let's say I specify a Principal of "s3.amazonaws.com", and I leave SourceArn blank. Does that mean my lambda could be invoked by any random person's S3 bucket, if they managed to find my Lambda's ARN and configure their bucket accordingly?

Edited by: SyntaxColoring on May 27, 2020 9:32 PM

Themen
ServerlosKalkulation
Tags
AWS Lambda
Sprache
English
Maxpm
gefragt vor 4 Jahren555 Aufrufe
1 Antwort
0
Akzeptierte Antwort

Answering my own question.

Yes, if you leave SourceArn blank, other accounts really will be able to execute your Lambda function.

I tested this as described here: https://github.com/terraform-providers/terraform-provider-aws/pull/12794#discussion_r431612010

Maxpm
beantwortet vor 4 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt