Lambda-function-public-access-prohibited Actions

When i add a s3 event in my serverless.yml it generates a function policy without a sourceAccount condition .When a event is attached through lambda console the function policy has the sourceAccount in it, but when creating a Lambda::Permission and adding and event to lambda through serverless, the sourceAccount is missing from function policy causing the AWS config to report this lambda as non compliant.
Any suggestions on how to solve this will be appreciated.

This is my serverless yml :

Resources:
LambdaPermissionInvoke:
Type: ‘AWS::Lambda::Permission’
Properties:
FunctionName:
‘Fn::GetAtt’:
- MyLambdaFunction
- Arn
Principal: ‘s3.amazonaws.com
Action: ‘lambda:InvokeFunction’
SourceAccount:
Ref: ‘AWS::AccountId’
SourceArn: ‘arn:aws:s3:::my-s3-sbucket’

functions:
MyLambdaFunction:
handler: lambda_handler
events: # The Events that trigger this Function
- s3:
bucket: my-s3-bucket
event: s3:ObjectCreated:*

1 Like

Hey there,
does anyone have a solution for this? Using S3 events in my function implicitly creates a Lambda permission without the SourceAccount condition.
Config and therefor SecurityHub are reporting the lambda function as non-compliant. This actually makes sense, since the resulting condition only references the SourceArn of an S3 bucket, which could possible end up “outside” the account, when deleted and re-created. The additional condition of SourceAccount would remediate the security finding.

But how to create the condition, when the lambda permission is created implicitly by the S3 events trigger?