Lambda permissions with a service principal should apply to only one resource and AWS account

Description

Lambda permissions with a service principal should contain a source ARN condition to restrict access to a single resource. Lambda permissions for S3 and SES should also contain a source account condition, because S3 and SES ARNs do not contain an AWS account ID.

Terraform

Ensure that lambda permissions with a service principal have a source_arn property. If the lambda permission is for S3 or SES, also ensure that it has a source_account property.

Example Configuration

resource "aws_lambda_permission" "sns_topic_permission" {
  function_name = aws_lambda_function.my_function.function_name
  action        = "lambda:InvokeFunction"
  principal     = "sns.amazonaws.com"
  source_arn    = aws_sns_topic.my_topic.arn
}
resource "aws_lambda_permission" "s3_bucket_permission" {
  function_name  = aws_lambda_function.my_function.function_name
  action         = "lambda:InvokeFunction"
  principal      = "s3.amazonaws.com"
  source_arn     = aws_s3_bucket.my_bucket.arn
  source_account = data.aws_caller_identity.current.account_id
}