CKV_AWS_301: Conditions Parsing #7298
Description
Describe the issue
CKV_AWS_301 (Ensure that AWS Lambda function is not publicly accessible) currently checks for principal = "*" without considering mitigating conditions. The aws_lambda_permission resource has three other arguments which limit the permissions -- principal_org_id, source_account, and source_arn. Using any of these without a * (see edge case below) will satisfy the requirement that the Lambda function is not publicly accessible even if the principal is set to *.
Examples
Currently non-compliant (edge case, expected):
resource "aws_lambda_permission" "this" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.example.function_name
principal = "*"
source_arn = "*"
}
Currently non-compliant (expected):
resource "aws_lambda_permission" "this" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.example.function_name
principal = "*"
}
Currently compliant (expected):
resource "aws_lambda_permission" "this" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.example.function_name
principal = "s3.amazonaws.com"
}
Currently non-compliant (unexpected):
resource "aws_lambda_permission" "this" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.example.function_name
principal = "*"
principal_org_id = "o-123456"
}
Currently non-compliant (unexpected):
resource "aws_lambda_permission" "this" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.example.function_name
principal = "*"
source_account = "123456789012"
}
Currently non-compliant (unexpected):
resource "aws_lambda_permission" "this" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.example.function_name
principal = "*"
source_arn = "arn:aws:events:eu-west-1:123456789012:rule/RunDaily"
}