This is a security flaw that would allow any Principal to execute the CloudFormation Macro Proxy Lambda function. Ideally these functions should basically just be simple, pure transforms, but it is a security problem nonetheless.
Solutions:
in the CDK application that generates the stack, scrape the account ID list and call function.add_permission for each
wait for the resource-based policy API for Lambda to be more expressive and allow for an account list or an Organization ID
This is a security flaw that would allow any Principal to execute the CloudFormation Macro Proxy Lambda function. Ideally these functions should basically just be simple, pure transforms, but it is a security problem nonetheless.
Solutions:
function.add_permissionfor each