Security vulnerability - Zappa s3 event settings do not limit execution of lambda function to s3 resources within a specific account. #1049
Description
I wish to specify a condition matching a specific aws account number in the resource based policy for a lambda function from the zappa_settings.json file, to close off a vulnerability in the stock Zappa s3 event settings to ensure that only resources in my account can invoke my function. Is this possible?
I'm following this section of the readme to schedule an s3 event trigger for my lambda function https://github.com/zappa/Zappa#executing-in-response-to-aws-events. I wish to set a condition which limits the s3 bucket that triggers the event to one with my aws account number (apparently it's possible to squat someone else's s3 bucket name and trigger events in someone else's account, and our organisation guides this as a secure solution). I need to set the account number in the Resource-based policy of the lambda function.
Accordingly, I specify the following in my zappa_settings.json:
{
"dev": {
...
"events": [{
"function": "myservice.handler",
"event_source": {
"arn": "arn:aws:s3:::my-bucket",
"events": [
"s3:ObjectCreated:*" // Supported event types: http://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html#supported-notification-event-types
]
}
}]
}
}
This results in the following resource based policy:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "XXXXXXXX",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-west-1:000000000000:function:mylambdafunction",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::my-bucket"
}
}
}
]
}
I wish to set the additional condition to limit to my aws source account as follows:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "XXXXXXXX",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-west-1:000000000000":function:mylambdafunction",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "000000000000"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::my-bucket"
}
}
}
]
}
I can do this manually in the aws console, but it is overwritten by Zappa each time I update or schedule the function.
Is there a way to set this condition from the zappa_settings.json?
I've tried adding the condition to my event source, but though this does not throw an error, it does not reflect in the aws console:
{
"dev": {
...
"events": [{
"function": "myservice.handler",
"event_source": {
"arn": "arn:aws:s3:::my-bucket",
"events": [
"s3:ObjectCreated:*" // Supported event types: http://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html#supported-notification-event-types
],
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "000000000000"
}
}
}]
}
}
I've also tried specifying the arn of the event source to include the account number.
...
"event_source": { "arn": "arn:aws:s3::000000000000:my-bucket",
...
This reflects the account number in the aws console resource-based policy, but throws the an error when I call zappa schedule, and the s3 trigger breaks.
Your Environment
- Zappa version used: 0.53.0
- Operating System and Python version: Mac OS Cataline, Python 3.8 running in a virtual environment using Pipenv
- The output of
pip freeze: - argcomplete==1.12.3
attrs==21.2.0
boto3==1.18.48
botocore==1.21.48
certifi==2021.5.30
cfn-flip==1.2.3
charset-normalizer==2.0.6
click==8.0.1
durationpy==0.5
future==0.18.2
hjson==3.0.2
idna==3.2
iniconfig==1.1.1
jmespath==0.10.0
kappa==0.6.0
packaging==21.0
pep517==0.11.0
pip-tools==6.3.0
placebo==0.9.0
pluggy==1.0.0
py==1.10.0
pyparsing==2.4.7
pytest==6.2.5
python-dateutil==2.8.2
python-slugify==5.0.2
PyYAML==5.4.1
requests==2.26.0
s3transfer==0.5.0
six==1.16.0
text-unidecode==1.3
toml==0.10.2
tomli==1.2.1
tqdm==4.62.3
troposphere==2.7.1
urllib3==1.26.7
Werkzeug==0.16.1
wsgi-request-logger==0.4.6
zappa==0.53.0