Why isn't ARNLike condition enough to suppress "Lambda function policies should prohibit public access" warning?



I have a lambda function with policies with the following format:

      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:<lambda-arn>",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:s3:::<s3-arn>"

In the security hub I have the following critical warning for the same lambda function:

Lambda.1 Lambda function policies should prohibit public access

From my understanding, this finding wishes me to add a "AWS:SourceAccount" account condition as well. However my opinion is that considering I own the s3 bucket, only my bucket can invoke this lambda function. This is as secure as adding the source account condition, if I always keep owning this bucket.

My question is from a security standpoint am I safe to suppress this warning and move on, or is there something I am missing?

Thank you.

1 Answer
Accepted Answer

Yes, I think that unintended access is unlikely to occur if you always have the S3 that you specify in "AWS:SourceArn" as you recognize.
However, if an S3 is deleted by mistake, an unrelated third party will be able to create the same S3 as the one specified in "AWS:SourceArn".
I think it is useful to set up "AWS:SourceAccount" in case such a situation arises.

profile picture
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions