58 lines
1.3 KiB
Plaintext
58 lines
1.3 KiB
Plaintext
== Why is this an issue?
|
|
|
|
include::../description.adoc[]
|
|
|
|
=== Noncompliant code example
|
|
|
|
The following policy allows an attacker to update the code of any Lambda function. An attacker can achieve privilege escalation by altering the code of a Lambda that executes with high privileges.
|
|
|
|
[source,python]
|
|
----
|
|
from aws_cdk.aws_iam import Effect, PolicyDocument, PolicyStatement
|
|
|
|
PolicyDocument(
|
|
statements=[
|
|
PolicyStatement(
|
|
effect=Effect.ALLOW,
|
|
actions=["lambda:UpdateFunctionCode"],
|
|
resources=["*"] # Noncompliant
|
|
)
|
|
]
|
|
)
|
|
----
|
|
|
|
=== Compliant solution
|
|
|
|
Narrow the policy such that only updates to the code of certain Lambda functions are allowed.
|
|
|
|
[source,python]
|
|
----
|
|
from aws_cdk.aws_iam import Effect, PolicyDocument, PolicyStatement
|
|
|
|
PolicyDocument(
|
|
statements=[
|
|
PolicyStatement(
|
|
effect=Effect.ALLOW,
|
|
actions=["lambda:UpdateFunctionCode"],
|
|
resources=[
|
|
"arn:aws:lambda:us-east-2:123456789012:function:my-function:1"
|
|
]
|
|
)
|
|
]
|
|
)
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|