50 lines
1.2 KiB
Plaintext
50 lines
1.2 KiB
Plaintext
|
include::../description.adoc[]
|
||
|
|
|
||
|
|
== Noncompliant Code Example
|
||
|
|
|
||
|
|
The following policy allows an attacker to update the code of any Lambda function. An attacker can achieve privilege escalation by altering the code of a Lambda that executes with high privileges.
|
||
|
|
|
||
|
|
[source,javascript]
|
||
|
|
----
|
||
|
|
import {aws_iam as iam} from 'aws-cdk-lib'
|
||
|
|
|
||
|
|
new iam.PolicyDocument({
|
||
|
|
statements: [new iam.PolicyStatement({
|
||
|
|
effect: iam.Effect.ALLOW,
|
||
|
|
actions: ["lambda:UpdateFunctionCode"],
|
||
|
|
resources: ["*"], // Noncompliant
|
||
|
|
})],
|
||
|
|
})
|
||
|
|
----
|
||
|
|
|
||
|
|
== Compliant Solution
|
||
|
|
|
||
|
|
Narrow the policy such that only updates to the code of certain Lambda functions are allowed.
|
||
|
|
|
||
|
|
[source,javascript]
|
||
|
|
----
|
||
|
|
import {aws_iam as iam} from 'aws-cdk-lib'
|
||
|
|
|
||
|
|
new iam.PolicyDocument({
|
||
|
|
statements: [new iam.PolicyStatement({
|
||
|
|
effect: iam.Effect.ALLOW,
|
||
|
|
actions: ["lambda:UpdateFunctionCode"],
|
||
|
|
resources: ["arn:aws:lambda:us-east-2:123456789012:function:my-function:1"], // Noncompliant
|
||
|
|
})],
|
||
|
|
})
|
||
|
|
----
|
||
|
|
|
||
|
|
include::../see.adoc[]
|
||
|
|
|
||
|
|
ifdef::env-github,rspecator-view[]
|
||
|
|
|
||
|
|
'''
|
||
|
|
== Implementation Specification
|
||
|
|
(visible only on this page)
|
||
|
|
|
||
|
|
include::../message.adoc[]
|
||
|
|
|
||
|
|
include::../highlighting.adoc[]
|
||
|
|
|
||
|
|
endif::env-github,rspecator-view[]
|