juanjoDiaz / serverless-plugin-warmup

Keep your lambdas warm during winter. ♨
MIT License
1.11k stars 115 forks source link

"Lambda Security Notification" from AWS involving IAM policies #308

Closed thiagosanches closed 2 years ago

thiagosanches commented 2 years ago

Hi everyone,

AWS is complaining about the way that users make usage of the ARN and its qualifiers. We received the following message from them:

Hello,

You are receiving this email because AWS Lambda is making a change to the IAM policy evaluation when accessing Lambda function APIs, and we identified that your account will be impacted by this change.

We would like to offer some background about usage of Lambda function APIs. A Lambda function may include versions [1] and aliases [2] which are sub-resources of a function. You can operate on versions and aliases using the Lambda function APIs in one of two ways: (1) You can either append the version number or alias name as a suffix to the function ARN. We will refer to this as a "qualified" Amazon Resource Name (ARN); or (2) You can specify only the function ARN (we refer to this as an "unqualified" ARN), and add a separate "qualifier" parameter in the API command. For example, a function "helloworld" with version "42" can be passed into API request using the function ARN as arn:aws:lambda:aws-region:acct-id:function:helloworld:42 or arn:aws:lambda:aws-region:acct-id:function:helloworld, Qualifier=42. These call types are equivalent.

Currently, you can restrict the scope of a user's permissions to the Lambda function APIs by using an unqualified ARN in the Resource element of your IAM or VPC endpoint policy. Previously, when used in this way, Lambda interpreted such permissions in one of two ways depending on the API usage. Either by granting permission to requests to the function only, or granting permissions to requests to the function and all of its sub-resources. For example, when using IAM or VPC endpoint policy with resource element as unqualified ARN, arn:aws:lambda:aws-region:acct-id:function:helloworld, API Request(s) with qualified ARN as arn:aws:lambda:aws-region:acct-id:function:helloworld:42 is denied and the request using arn:aws:lambda:aws-region:acct-id:function:helloworld, Qualifier=42 is allowed. We received customer feedback that this dual interpretation was not always intuitive. To address this feedback and increase the consistency of the Lambda function APIs authorization, starting January 24, 2022, Lambda requires IAM or VPC endpoint policies to specify the fully qualified ARN in the Resource element when authorizing API calls that use an unqualified ARN with a qualifier parameter.

We identified that your AWS account calls AWS Lambda APIs using the unqualified ARN with a qualifier parameter while the associated permissions for the user who makes these API calls use the unqualified ARN in the policy's Resource element. To continue making these API calls successfully, you need to append the version number, alias name to the unqualified function ARN in your policy's Resource element. To allow access to all the sub-resources of a function, append ":" and "" to the unqualified function ARN and to allow access to both function (unqualified ARN) and all sub-resources of a function, append "" to the unqualified function ARN. Additionally, you need to ensure the updated policies are used by the IAM users/roles that make the Lambda API calls. Please find the following instructions on how to make this change.

This change will begin on April 30, 2022, to give you ample time to update your IAM policies or permissions attached to the users and roles that call Lambda APIs before that. We have also provided a list of your affected resources in the US-EAST-1 Region at the end of this message to make it easier to locate and update them. If you do not take this action by April 30, 2022, Lambda API calls will fail with permission errors.

Steps to update your IAM policies:

  1. The list of affected function ARN, region, qualifier value used in the qualifier parameter, Lambda API name are provided to you in format "API operation | function excluding qualifier | qualifier".
  2. Starting at the IAM Console, go to Policies.
  3. Look for policies that match Resource field as function ARN. For example, If the function ARN is arn:aws:lambda:aws-region:acct-id:function:my-function, find policies where Resource field contains "function:my-function".
  4. For the matching policies, Click on the "Edit Policy" button and select JSON.
  5. Change the Resource field from "Resource": ["arn:aws:lambda:aws-region:acct-id:function:my-function" ] to "Resource": ["arn:aws:lambda:aws-region:acct-id:function:my-function:stage"] to authorize access to a function alias (in this example "stage" is the name of the alias).
  6. Alternatively, change the Resource field to "Resource": ["arn:aws:lambda:aws-region:acct-id:function:my-function:1"] to authorize access to a specific function version (in this example "1" is the version number).
  7. To allow access to all sub-resources of a function, append ":" and "" to function name by changing the Resource field to "Resource": ["arn:aws:lambda:aws-region:acct-id:function:my-function:" ].
  8. To allow access to function (unqualified ARN) and it's sub-resources, append "" to function name by changing the Resource field to "Resource": ["arn:aws:lambda:aws-region:acct-id:myFunction"].
  9. Click Review Policy and Save.

That being said, it seems that the warm up plugin needs to update the way it creates the InvokeFunction policy to let it complaint with the new AWS rules, described above.

image

Do you guys have any plan on this?

Thank you, Regards.

victorcsciandt commented 2 years ago

I stumbled across the same problem here

henriquef-cit commented 2 years ago

Same problem here

image

henriquef-cit commented 2 years ago

I would like to ask you folks to also attend this fix for the warmup version compatible with serverless 2.x. Thank you.

juanjoDiaz commented 2 years ago

solved as v6.2.1