Add source account requirement to Event Permissions (#1081)

* change core.py to add source account requirement when creating permissions to link function to event * use black to fix code formatting issues Co-authored-by: [email protected] <[email protected]> Co-authored-by: hellno <[email protected]> Co-authored-by: javulticat <[email protected]>
zappa · Dec 8, 2021 · d359e22 · d359e22
1 parent ba6c19a
commit d359e22
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/zappa/core.py b/zappa/core.py
@@ -2966,6 +2966,9 @@ def create_event_permission(self, lambda_name, principal, source_arn):
         logger.debug(
             "Adding new permission to invoke Lambda function: {}".format(lambda_name)
         )
+
+        account_id: str = self.sts_client.get_caller_identity().get("Account")
+
         permission_response = self.lambda_client.add_permission(
             FunctionName=lambda_name,
             StatementId="".join(
@@ -2974,6 +2977,12 @@ def create_event_permission(self, lambda_name, principal, source_arn):
             Action="lambda:InvokeFunction",
             Principal=principal,
             SourceArn=source_arn,
+            # The SourceAccount argument ensures that only the specified AWS account can invoke the lambda function.
+            # This prevents a security issue where if a lambda is triggered off of s3 bucket events and the bucket is
+            # deleted, another AWS account can create a bucket with the same name and potentially trigger the original
+            # lambda function, since bucket names are global.
+            # https://github.com/zappa/Zappa/issues/1039
+            SourceAccount=account_id,
         )
 
         if permission_response["ResponseMetadata"]["HTTPStatusCode"] != 201: