Ensure that AWS lambda layer version permissions does not have a wildcard principal
AWS lambda layer version permissions resource adds permissions to the resource-based policy of a version of an Lambda layer. Using wildcard in a principal may violates the principle of least privilege.
Risk Level: High
Cloud Entity: AWS Lambda
CloudGuard Rule ID: D9.CFT.IAM.23
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
AWS_Lambda_LayerVersionPermission should not have Principal='*'
REMEDIATION
From CFT
Set AWS::Lambda::LayerVersionPermission Principal
to a specific account or user
References
- https://docs.aws.amazon.com/lambda/latest/dg/configuration-layers.html
- https://docs.aws.amazon.com/cli/latest/reference/lambda/add-layer-version-permission.html
AWS Lambda
AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running.
With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.
Compliance Frameworks
- AWS CloudFormation ruleset
Updated over 1 year ago