rspec/rules/S6317/python/rule.adoc

== Why is this an issue?

include::../description.adoc[]

=== Noncompliant code example

The following policy allows an attacker to update the code of any Lambda function. An attacker can achieve privilege escalation by altering the code of a Lambda that executes with high privileges.

[source,python]
----
from aws_cdk.aws_iam import Effect, PolicyDocument, PolicyStatement

PolicyDocument(
    statements=[
        PolicyStatement(
            effect=Effect.ALLOW,
            actions=["lambda:UpdateFunctionCode"],
            resources=["*"]  # Noncompliant
        )
    ]
)
----

=== Compliant solution

Narrow the policy such that only updates to the code of certain Lambda functions are allowed.

[source,python]
----
from aws_cdk.aws_iam import Effect, PolicyDocument, PolicyStatement

PolicyDocument(
    statements=[
        PolicyStatement(
            effect=Effect.ALLOW,
            actions=["lambda:UpdateFunctionCode"],
            resources=[
                "arn:aws:lambda:us-east-2:123456789012:function:my-function:1"
            ]
        )
    ]
)
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Create rule S6317: AWS IAM policies should not allow privilege escalation (#1284) 2022-10-04 09:27:58 +02:00			`include::../description.adoc[]`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Create rule S6317: AWS IAM policies should not allow privilege escalation (#1284) 2022-10-04 09:27:58 +02:00
			`The following policy allows an attacker to update the code of any Lambda function. An attacker can achieve privilege escalation by altering the code of a Lambda that executes with high privileges.`

			`[source,python]`
			`----`
			`from aws_cdk.aws_iam import Effect, PolicyDocument, PolicyStatement`

			`PolicyDocument(`
			`statements=[`
			`PolicyStatement(`
			`effect=Effect.ALLOW,`
			`actions=["lambda:UpdateFunctionCode"],`
			`resources=["*"] # Noncompliant`
			`)`
			`]`
			`)`
			`----`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Create rule S6317: AWS IAM policies should not allow privilege escalation (#1284) 2022-10-04 09:27:58 +02:00
			`Narrow the policy such that only updates to the code of certain Lambda functions are allowed.`

			`[source,python]`
			`----`
			`from aws_cdk.aws_iam import Effect, PolicyDocument, PolicyStatement`

			`PolicyDocument(`
			`statements=[`
			`PolicyStatement(`
			`effect=Effect.ALLOW,`
			`actions=["lambda:UpdateFunctionCode"],`
			`resources=[`
			`"arn:aws:lambda:us-east-2:123456789012:function:my-function:1"`
			`]`
			`)`
			`]`
			`)`
			`----`

			`include::../see.adoc[]`

			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`include::../highlighting.adoc[]`

			`endif::env-github,rspecator-view[]`