Hi AWS community,
if my understanding is correct, the documentation would be lacking and the rule logic may not be enough to detect lambda functions which are public.
Documentation:
What misconfigurations can this rule actually test for? The security hub documentation mentions that it checks for AWS:SourceAccount (not source ARN) in the condition when used in combination with S3. The config rule documentation has no mention of that.
Possible lacking coverage:
A case where I know that the rule is not sufficient to check if lambda functions are public is when API Gateway is used in the policy.
Example policy:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:my-region:123456789012:function:my-function"
}
]
}
As far as I know, API Gateway and probably other services (in addition to S3) allow cross account access to lambda. Shouldn't the recommendation need to be: if the service principal is set; fail when AWS:SourceAccount nor AWS:SourceArn are present in the condition? Or is there a reason why it only needs to be checked for service=s3?
Regards,
Justus