Menu
In the Documentation for Resource-Based Policies for Lambda, it mentions that it's best practice to include the source-account incase for example you specified a source-arn which referred to an s3 bucket which does not have the account id in the arn, so if you were unlucky and somebody deleted your bucket, and another account created a bucket with the same name they could indirectly access your Lambda function.
But then you also have the notation of a Principal, as in one of the examples they have:
"Principal":{"AWS":"arn:aws:iam::210987654321:root"}
What is the difference between Principal & source-account. Do you use the Principal in the case when you want to refine the permissions down to a particular role or user within an account? And if this isn't your situation and you only want to grant access to your Lambda from an entire account you would use source-account?
621
One reason of using the aws:SourceAccount is the mitigation of The Confused Deputy Problem.
Specifically, in the context of S3, it is used so that S3 is not considered as the confused deputy.
185
The principal is what has the permission to trigger the resource, for example in this case the principal is actually the S3 service. This is because S3 is not configured to assume IAM roles, the service is actually the caller of the Lambda function.
The conditions underneath then scope the permissions to only allow the S3 service to call when it is coming from the source account/bucket. Without this it would be an open scope to Amazon S3.
You're correct that principals can be used to reference IAM users/roles and in your example the entire AWS account (assuming the caller is actually an IAM user/role). You would use this method if the caller was an IAM entity vs another AWS service.
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
