AWS Lambda
| Identifier | Guardrail | Rationale | Remediation | References | Policy | IAM Actions |
|---|---|---|---|---|---|---|
| IAM-LAMBDA-1 | Check that if Amazon API Gateway calls AWS Lambda, to scope to the specific authorized API Gateway using aws:SourceArn | When an AWS Service invokes another AWS Service, the aws:SourceArn is included in the request context. The confused deputy problem where if another party knows the Lambda arn could potentially use the Amazon API Gateway to invoke your lambda. | Specify the aws:SourceArn | https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn |
Lambda resource policy. | |
| IAM-LAMBDA-2 | Check that the management of your Lambdas is for authorized principals only. | It is important that access control to the management of your Lambdas is only performed by your authorized principals. Protect against unauthorized modifications or changes to your Lambdas by limiting access to only your administrative principals. | nan | lambda:AddLayerVersionPermission lambda:AddPermission lambda:CreateAlias lambda:CreateEventSourceMapping lambda:CreateFunction lambda:DeleteAlias lambda:DeleteEventSourceMapping lambda:DeleteFunction lambda:DeleteFunctionConcurrency lambda:DeleteFunctionEventInvokeConfig lambda:DeleteLayerVersion lambda:DeleteProvisionedConcurrencyConfig lambda:DisableReplication lambda:EnableReplication lambda:InvokeAsync lambda:InvokeFunction lambda:PublishLayerVersion lambda:PublishVersion lambda:PutFunctionConcurrency lambda:PutFunctionEventInvokeConfig lambda:PutProvisionedConcurrencyConfig lambda:RemoveLayerVersionPermission lambda:RemovePermission lambda:TagResource lambda:UntagResource lambda:UpdateAlias lambda:UpdateEventSourceMapping lambda:UpdateFunctionCode lambda:UpdateFunctionConfiguration lambda:UpdateFunctionEventInvokeConfig |