Hello,
I have a lambda function with policies with the following format:
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:<lambda-arn>",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::<s3-arn>"
}
In the security hub I have the following critical warning for the same lambda function:
Lambda.1 Lambda function policies should prohibit public access
From my understanding, this finding wishes me to add a "AWS:SourceAccount" account condition as well. However my opinion is that considering I own the s3 bucket, only my bucket can invoke this lambda function. This is as secure as adding the source account condition, if I always keep owning this bucket.
My question is from a security standpoint am I safe to suppress this warning and move on, or is there something I am missing?
Thank you.