Fix: CDS-1756 reduce custom-resource function permissions scope (#124)

* fix: get rid of iam permissions for shipper custom resource function * fix: CDS-1756 reduce permissions to region/account scope * fix: update the changelog * fix: update semantic version in template.yaml * align cargo.toml version with template version --------- Co-authored-by: Concourse <[email protected]>
coralogix · Jan 2, 2025 · c069adb · c069adb
1 parent 6fd2d26
commit c069adb
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+### v1.1.2 / 2025-12-31
+### 🧰 Bug fixes 🧰
+- cds-1756 - Restricted Lambda `EventSourceMapping` permissions used by custom resource function, so it won't have a wildcard/full resource access
+
 ### v1.1.1 / 2025-12-27
 ### 🧰 Bug fixes 🧰
 - cds-1747 - Removed `iam:*` permissions from Shipper, as they were leftover from older versions as the Custom Resource use to be responsible for editing the policy directly

diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "coralogix-aws-shipper"
-version = "1.1.0"
+version = "1.1.2"
 edition = "2021"
 
 [dependencies]

diff --git a/template.yaml b/template.yaml
@@ -25,7 +25,7 @@ Metadata:
       - kinesis
       - cloudfront
     HomePageUrl: https://coralogix.com
-    SemanticVersion: 1.1.0
+    SemanticVersion: 1.1.2
     SourceCodeUrl: https://github.com/coralogix/coralogix-aws-shipper
 
   AWS::CloudFormation::Interface:
@@ -1192,7 +1192,7 @@ Resources:
           - lambda:UpdateEventSourceMapping
           - lambda:GetFunctionConfiguration
           - lambda:UpdateFunctionConfiguration
-          Resource: '*'
+          Resource: !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*
       - Statement:
         - Sid: S3NotificationPolicy
           Effect: Allow