feat(Lambda): Service and checks (#1491)

2026-02-11 07:15:15 +00:00 · 2022-11-17 22:59:28 +01:00
parent 538496ed6b
commit 9954763356
42 changed files with 3187 additions and 1770 deletions
--- a/providers/aws/services/awslambda/awslambda_function_url_public/init.py
+++ b/providers/aws/services/awslambda/awslambda_function_url_public/init.py
--- a/providers/aws/services/awslambda/awslambda_function_url_public/awslambda_function_url_public.metadata.json
+++ b/providers/aws/services/awslambda/awslambda_function_url_public/awslambda_function_url_public.metadata.json
@@ -0,0 +1,35 @@
+{
+  "Provider": "aws",
+  "CheckID": "awslambda_function_url_public",
+  "CheckTitle": "Check Public Lambda Function URL.",
+  "CheckType": [],
+  "ServiceName": "lambda",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:partition:lambda:region:account-id:function/function-name",
+  "Severity": "high",
+  "ResourceType": "AwsLambdaFunction",
+  "Description": "Check Public Lambda Function URL.",
+  "Risk": "Publicly accessible services could expose sensitive data to bad actors.",
+  "RelatedUrl": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "aws lambda update-function-url-config --region AWS_REGION --function-name FUNCTION-NAME --auth-type AWS_IAM",
+      "NativeIaC": "",
+      "Other": "",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Grant usage permission on a per-resource basis and applying least privilege principle.",
+      "Url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html"
+    }
+  },
+  "Categories": [],
+  "Tags": {
+    "Tag1Key": "value",
+    "Tag2Key": "value"
+  },
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": "",
+  "Compliance": []
+}
--- a/providers/aws/services/awslambda/awslambda_function_url_public/awslambda_function_url_public.py
+++ b/providers/aws/services/awslambda/awslambda_function_url_public/awslambda_function_url_public.py
@@ -0,0 +1,25 @@
+from lib.check.models import Check, Check_Report
+from providers.aws.services.awslambda.awslambda_client import awslambda_client
+
+from providers.aws.services.awslambda.awslambda_service import AuthType
+
+
+class awslambda_function_url_public(Check):
+    def execute(self):
+        findings = []
+        for function in awslambda_client.functions.values():
+            report = Check_Report(self.metadata)
+            report.region = function.region
+            report.resource_id = function.name
+            report.resource_arn = function.arn
+            if function.url_config:
+                if function.url_config.auth_type == AuthType.AWS_IAM:
+                    report.status = "PASS"
+                    report.status_extended = f"Lambda function {function.name} has not a publicly accessible function URL"
+                else:
+                    report.status = "FAIL"
+                    report.status_extended = f"Lambda function {function.name} has a publicly accessible function URL"
+
+                findings.append(report)
+
+        return findings
--- a/providers/aws/services/awslambda/awslambda_function_url_public/awslambda_function_url_public_test.py
+++ b/providers/aws/services/awslambda/awslambda_function_url_public/awslambda_function_url_public_test.py
@@ -0,0 +1,118 @@
+from unittest import mock
+
+from moto.core import DEFAULT_ACCOUNT_ID
+
+from providers.aws.services.awslambda.awslambda_service import (
+    AuthType,
+    Function,
+    URLConfig,
+    URLConfigCORS,
+)
+
+AWS_REGION = "us-east-1"
+
+
+class Test_awslambda_function_url_public:
+    def test_no_functions(self):
+        lambda_client = mock.MagicMock
+        lambda_client.functions = {}
+
+        with mock.patch(
+            "providers.aws.services.awslambda.awslambda_service.Lambda",
+            new=lambda_client,
+        ):
+            # Test Check
+            from providers.aws.services.awslambda.awslambda_function_url_public.awslambda_function_url_public import (
+                awslambda_function_url_public,
+            )
+
+            check = awslambda_function_url_public()
+            result = check.execute()
+
+            assert len(result) == 0
+
+    def test_function_public_url(self):
+        lambda_client = mock.MagicMock
+        function_name = "test-lambda"
+        function_runtime = "nodejs4.3"
+        function_arn = (
+            f"arn:aws:lambda:{AWS_REGION}:{DEFAULT_ACCOUNT_ID}:function/{function_name}"
+        )
+        lambda_client.functions = {
+            "function_name": Function(
+                name=function_name,
+                arn=function_arn,
+                region=AWS_REGION,
+                runtime=function_runtime,
+                url_config=URLConfig(
+                    auth_type=AuthType.NONE,
+                    url="",
+                    cors_config=URLConfigCORS(allow_origins=[]),
+                ),
+            )
+        }
+
+        with mock.patch(
+            "providers.aws.services.awslambda.awslambda_service.Lambda",
+            new=lambda_client,
+        ):
+            # Test Check
+            from providers.aws.services.awslambda.awslambda_function_url_public.awslambda_function_url_public import (
+                awslambda_function_url_public,
+            )
+
+            check = awslambda_function_url_public()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].region == AWS_REGION
+            assert result[0].resource_id == function_name
+            assert result[0].resource_arn == function_arn
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"Lambda function {function_name} has a publicly accessible function URL"
+            )
+
+    def test_function_private_url(self):
+        lambda_client = mock.MagicMock
+        function_name = "test-lambda"
+        function_runtime = "python3.9"
+        function_arn = (
+            f"arn:aws:lambda:{AWS_REGION}:{DEFAULT_ACCOUNT_ID}:function/{function_name}"
+        )
+        lambda_client.functions = {
+            "function_name": Function(
+                name=function_name,
+                arn=function_arn,
+                region=AWS_REGION,
+                runtime=function_runtime,
+                url_config=URLConfig(
+                    auth_type=AuthType.AWS_IAM,
+                    url="",
+                    cors_config=URLConfigCORS(allow_origins=[]),
+                ),
+            )
+        }
+
+        with mock.patch(
+            "providers.aws.services.awslambda.awslambda_service.Lambda",
+            new=lambda_client,
+        ):
+            # Test Check
+            from providers.aws.services.awslambda.awslambda_function_url_public.awslambda_function_url_public import (
+                awslambda_function_url_public,
+            )
+
+            check = awslambda_function_url_public()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].region == AWS_REGION
+            assert result[0].resource_id == function_name
+            assert result[0].resource_arn == function_arn
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"Lambda function {function_name} has not a publicly accessible function URL"
+            )