0fe428ee63
## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)
69 lines
1.3 KiB
Plaintext
69 lines
1.3 KiB
Plaintext
== Why is this an issue?
|
|
|
|
include::../description.adoc[]
|
|
|
|
=== Noncompliant code example
|
|
|
|
This policy allows to update the code of any lambda function. Updating the code
|
|
of a lambda executing with high privileges will lead to privilege escalation.
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_iam_policy" "example" {
|
|
name = "example"
|
|
policy =<<EOF
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"lambda:UpdateFunctionCode"
|
|
],
|
|
"Resource": "*"
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
}
|
|
----
|
|
|
|
=== Compliant solution
|
|
|
|
Narrow the policy to only allow to update the code of certain lambda functions.
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "aws_iam_policy" "example" {
|
|
name = "example"
|
|
policy =<<EOF
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"lambda:UpdateFunctionCode"
|
|
],
|
|
"Resource": "arn:aws:lambda:us-east-2:123456789012:function:my-function:1"
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|