These two doc pages:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html

https://docs.aws.amazon.com/lambda/latest/dg/API_AddPermission.html

have a note:
bq. If you grant permission to a service principal without specifying [SourceArn], other accounts could potentially configure resources in their account to invoke your Lambda function.
I'm unclear on what, exactly, that means.

Let's say I specify a Principal of "s3.amazonaws.com", and I leave SourceArn blank. Does that mean my lambda could be invoked by any random person's S3 bucket, if they managed to find my Lambda's ARN and configure their bucket accordingly?

Edited by: SyntaxColoring on May 27, 2020 9:32 PM