rspec/rules/S6317/javascript/how-to-fix-it/aws-cdk.adoc

== How to fix it in AWS CDK

=== Code examples

In this example, the IAM policy allows an attacker to update the code of any Lambda function. An attacker can achieve privilege escalation by altering the code of a Lambda that executes with high privileges.

==== Noncompliant code example

[source,javascript,diff-id=1,diff-type=noncompliant]
----
import { aws_iam as iam } from 'aws-cdk-lib'

new iam.PolicyDocument({
    statements: [new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions: ["lambda:UpdateFunctionCode"],
        resources: ["*"], // Noncompliant
    })],
});
----

==== Compliant solution

The policy is narrowed such that only updates to the code of certain Lambda functions (without high privileges) are allowed.

[source,javascript,diff-id=1,diff-type=compliant]
----
import { aws_iam as iam } from 'aws-cdk-lib'

new iam.PolicyDocument({
    statements: [new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        actions: ["lambda:UpdateFunctionCode"],
        resources: ["arn:aws:lambda:us-east-2:123456789012:function:my-function:1"],
    })],
});
----

=== How does this work?

include::../../common/fix/least-privilege.adoc[]
Modify rule S6317: Update to LayC format (APPSEC-968) (#2949) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-08-30 11:56:31 +02:00			`== How to fix it in AWS CDK`

			`=== Code examples`

			`In this example, the IAM policy allows an attacker to update the code of any Lambda function. An attacker can achieve privilege escalation by altering the code of a Lambda that executes with high privileges.`

			`==== Noncompliant code example`

			`[source,javascript,diff-id=1,diff-type=noncompliant]`
			`----`
			`import { aws_iam as iam } from 'aws-cdk-lib'`

			`new iam.PolicyDocument({`
			`statements: [new iam.PolicyStatement({`
			`effect: iam.Effect.ALLOW,`
			`actions: ["lambda:UpdateFunctionCode"],`
			`resources: ["*"], // Noncompliant`
			`})],`
			`});`
			`----`

			`==== Compliant solution`

			`The policy is narrowed such that only updates to the code of certain Lambda functions (without high privileges) are allowed.`

			`[source,javascript,diff-id=1,diff-type=compliant]`
			`----`
			`import { aws_iam as iam } from 'aws-cdk-lib'`

			`new iam.PolicyDocument({`
			`statements: [new iam.PolicyStatement({`
			`effect: iam.Effect.ALLOW,`
			`actions: ["lambda:UpdateFunctionCode"],`
			`resources: ["arn:aws:lambda:us-east-2:123456789012:function:my-function:1"],`
			`})],`
			`});`
			`----`

			`=== How does this work?`

			`include::../../common/fix/least-privilege.adoc[]`