Why isn't ARNLike condition enough to suppress "Lambda function policies should prohibit public access" warning?

Question

Hello,

I have a lambda function with policies with the following format:

```
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:s3:::"
        }
```

In the security hub I have the following critical warning for the same lambda function:

> ## **Lambda.1 Lambda function policies should prohibit public access**

From my understanding, this finding wishes me to add a "AWS:SourceAccount" account condition as well. However my opinion is that considering I own the s3 bucket, only my bucket can invoke this lambda function. This is as secure as adding the source account condition, if I always keep owning this bucket.

My question is from a security standpoint am I safe to suppress this warning and move on, or is there something I am missing?

Thank you.

Accepted Answer

Yes, I think that unintended access is unlikely to occur if you always have the S3 that you specify in "AWS:SourceArn" as you recognize.  
However, if an S3 is deleted by mistake, an unrelated third party will be able to create the same S3 as the one specified in "AWS:SourceArn".  
I think it is useful to set up "AWS:SourceAccount" in case such a situation arises.

Why isn't ARNLike condition enough to suppress "Lambda function policies should prohibit public access" warning?

Lambda.1 Lambda function policies should prohibit public access

Relevant content