Ban lambda wildcards (#223)

* Improve wildcard expressions to start considering question marks as wildcards too * Update changelog * Apply suggestions from code review Co-authored-by: Ramon <w0rmr1d3r@users.noreply.github.com> * Start blocking lambda actions that allow wildcards * Update changelog * Add urlconfig actions Co-authored-by: Ramon <w0rmr1d3r@users.noreply.github.com>
Skyscanner · Apr 19, 2022 · 8c8c924 · 8c8c924
1 parent 776839c
commit 8c8c924
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@ All notable changes to this project will be documented in this file.
 ### Improvements
 - CFRipper is now compatible with Python3.10
 - CFRipper is now able to detect new types of wildcard usage.
+- Default config will now detect lambda resource wildcards as through IAM overpowered roles.
 
 ### Updates
 - Bump dev dependency `moto` to allow `>=3.0.0`.

diff --git a/cfripper/config/config.py b/cfripper/config/config.py
@@ -72,13 +72,50 @@ class Config:
         "ec2:CreateDhcpOptions",
         "ec2:CreateCustomerGateway",
         "ecs:*",
+        # Lambda
+        "lambda:AddLayerVersionPermission",
+        "lambda:AddPermission",
+        "lambda:CreateFunctionUrlConfig",
+        "lambda:DeleteAlias",
+        "lambda:DeleteCodeSigningConfig",
+        "lambda:DeleteEventSourceMapping",
+        "lambda:DeleteFunction",
+        "lambda:DeleteFunctionCodeSigningConfig",
+        "lambda:DeleteFunctionConcurrency",
+        "lambda:DeleteFunctionEventInvokeConfig",
+        "lambda:DeleteFunctionUrlConfig",
+        "lambda:DeleteLayerVersion",
+        "lambda:DeleteProvisionedConcurrencyConfig",
+        "lambda:DisableReplication",
+        "lambda:EnableReplication",
+        "lambda:InvokeAsync",
+        "lambda:InvokeFunction",
+        "lambda:InvokeFunctionUrl",
+        "lambda:PublishLayerVersion",
+        "lambda:PublishVersion",
+        "lambda:PutFunctionCodeSigningConfig",
+        "lambda:PutFunctionConcurrency",
+        "lambda:PutFunctionEventInvokeConfig",
+        "lambda:PutProvisionedConcurrencyConfig",
+        "lambda:RemoveLayerVersionPermission",
+        "lambda:RemovePermission",
+        "lambda:TagResource",
+        "lambda:UntagResource",
+        "lambda:UpdateAlias",
+        "lambda:UpdateCodeSigningConfig",
+        "lambda:UpdateEventSourceMapping",
+        "lambda:UpdateFunctionCode",
+        "lambda:UpdateFunctionCodeSigningConfig",
+        "lambda:UpdateFunctionConfiguration",
+        "lambda:UpdateFunctionEventInvokeConfig",
+        "lambda:UpdateFunctionUrlConfig",
         # other lovely services
-        "cloudtrail:",
-        "aws-portal:",
         "acm:",
-        "trustedadvisor:",
         "aws-marketplace",
+        "aws-portal:",
+        "cloudtrail:",
         "directconnect:",
+        "trustedadvisor:",
     ]
 
     def __init__(