== Why is this an issue?

include::../description.adoc[]

=== Noncompliant code example

This policy allows to update the code of any lambda function. Updating the code of a lambda executing with high privileges will lead to privilege escalation.
[source,terraform]
----
resource "aws_iam_policy" "lambdaUpdatePolicy" {
  name = "lambdaUpdatePolicy"
  policy =<<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lambda:UpdateFunctionCode"
            ],
            "Resource": "*"
        }
    ]
}
EOF
}
----

=== Compliant solution

Narrow the policy to only allow to update the code of certain lambda functions.

[source,terraform]
----
resource "aws_iam_policy" "lambdaUpdatePolicy" {
  name = "lambdaUpdatePolicy"
  policy =<<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lambda:UpdateFunctionCode"
            ],
            "Resource": "arn:aws:lambda:us-east-2:123456789012:function:my-function:1"
        }
    ]
}
EOF
}
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

endif::env-github,rspecator-view[]