efcf2bdd1a
## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)
54 lines
1.4 KiB
Plaintext
54 lines
1.4 KiB
Plaintext
== How to fix it in Identity and Access Management
|
|
|
|
=== Code examples
|
|
|
|
In this example, the IAM policy allows an attacker to update the code of any Lambda function. An attacker can achieve privilege escalation by altering the code of a Lambda that executes with high privileges.
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,yaml,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
|
|
Resources:
|
|
# Update Lambda code
|
|
lambdaUpdatePolicy:
|
|
# Noncompliant
|
|
Type: AWS::IAM::ManagedPolicy
|
|
Properties:
|
|
ManagedPolicyName: lambdaUpdatePolicy
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- lambda:UpdateFunctionCode
|
|
Resource: "*"
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
The policy is narrowed such that only updates to the code of certain Lambda functions (without high privileges) are allowed.
|
|
|
|
[source,yaml,diff-id=1,diff-type=compliant]
|
|
----
|
|
AWSTemplateFormatVersion: 2010-09-09
|
|
|
|
Resources:
|
|
# Update Lambda code
|
|
lambdaUpdatePolicy:
|
|
Type: AWS::IAM::ManagedPolicy
|
|
Properties:
|
|
ManagedPolicyName: lambdaUpdatePolicy
|
|
PolicyDocument:
|
|
Version: "2012-10-17"
|
|
Statement:
|
|
- Effect: Allow
|
|
Action:
|
|
- lambda:UpdateFunctionCode
|
|
Resource: "arn:aws:lambda:us-east-2:123456789012:function:my-function:1"
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/least-privilege.adoc[] |