62 lines
1.4 KiB
Plaintext
62 lines
1.4 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
This policy allows to update the code of any lambda function. Updating the code of a lambda executing with high privileges will lead to privilege escalation.
|
|
[source,cloudformation]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
|
|
Resources:
|
|
# Update Lambda code
|
|
lambdaUpdatePolicy:
|
|
# Noncompliant
|
|
Type: AWS::IAM::ManagedPolicy
|
|
Properties:
|
|
ManagedPolicyName: lambdaUpdatePolicy
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- lambda:UpdateFunctionCode
|
|
Resource: "*"
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
Narrow the policy to only allow to update the code of certain lambda functions.
|
|
|
|
[source,cloudformation]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
|
|
Resources:
|
|
# Update Lambda code
|
|
lambdaUpdatePolicy:
|
|
Type: AWS::IAM::ManagedPolicy
|
|
Properties:
|
|
ManagedPolicyName: lambdaUpdatePolicy
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- lambda:UpdateFunctionCode
|
|
Resource: "arn:aws:lambda:us-east-2:123456789012:function:my-function:1"
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|