efcf2bdd1a
## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)
41 lines
1.2 KiB
Plaintext
41 lines
1.2 KiB
Plaintext
== How to fix it in AWS CDK
|
|
|
|
=== Code examples
|
|
|
|
In this example, the IAM policy allows an attacker to update the code of any Lambda function. An attacker can achieve privilege escalation by altering the code of a Lambda that executes with high privileges.
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,javascript,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
import { aws_iam as iam } from 'aws-cdk-lib'
|
|
|
|
new iam.PolicyDocument({
|
|
statements: [new iam.PolicyStatement({
|
|
effect: iam.Effect.ALLOW,
|
|
actions: ["lambda:UpdateFunctionCode"],
|
|
resources: ["*"], // Noncompliant
|
|
})],
|
|
});
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
The policy is narrowed such that only updates to the code of certain Lambda functions (without high privileges) are allowed.
|
|
|
|
[source,javascript,diff-id=1,diff-type=compliant]
|
|
----
|
|
import { aws_iam as iam } from 'aws-cdk-lib'
|
|
|
|
new iam.PolicyDocument({
|
|
statements: [new iam.PolicyStatement({
|
|
effect: iam.Effect.ALLOW,
|
|
actions: ["lambda:UpdateFunctionCode"],
|
|
resources: ["arn:aws:lambda:us-east-2:123456789012:function:my-function:1"],
|
|
})],
|
|
});
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/least-privilege.adoc[] |