fix(config): add SourceAccount condition to Lambda permission (aws#16617

) According to [AWS Config best practices](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_nodejs.html#restricted-lambda-policy), we should add a `SourceAccount` condition to the Lambda Permission we create in `CustomRule`. Note that we cannot add the `SourceArn` condition, because that would cause a cyclic dependency between the `LambdaPermission` resource, and the `Rule` resource (as the `Rule` can only be created _after_ the `LambdaPermission` has been created - this is validated by the AWS Config service - and so needs a `DependOn` for the Lambda Permission). ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
TikiTDO · Feb 21, 2022 · e89126e · e89126e
1 parent 6998544
commit e89126e
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 4 deletions.
diff --git a/packages/@aws-cdk/aws-config/lib/rule.ts b/packages/@aws-cdk/aws-config/lib/rule.ts
@@ -355,6 +355,7 @@ export class CustomRule extends RuleNew {
 
     props.lambdaFunction.addPermission('Permission', {
       principal: new iam.ServicePrincipal('config.amazonaws.com'),
+      sourceAccount: this.env.account,
     });
 
     if (props.lambdaFunction.role) {

diff --git a/packages/@aws-cdk/aws-config/test/integ.rule.lit.expected.json b/packages/@aws-cdk/aws-config/test/integ.rule.lit.expected.json
@@ -72,7 +72,10 @@
             "Arn"
           ]
         },
-        "Principal": "config.amazonaws.com"
+        "Principal": "config.amazonaws.com",
+        "SourceAccount": {
+          "Ref": "AWS::AccountId"
+        }
       }
     },
     "Custom8166710A": {
@@ -221,4 +224,4 @@
       }
     }
   }
-}
+}
diff --git a/packages/@aws-cdk/aws-config/test/integ.scoped-rule.expected.json b/packages/@aws-cdk/aws-config/test/integ.scoped-rule.expected.json
@@ -72,7 +72,10 @@
             "Arn"
           ]
         },
-        "Principal": "config.amazonaws.com"
+        "Principal": "config.amazonaws.com",
+        "SourceAccount": {
+          "Ref": "AWS::AccountId"
+        }
       }
     },
     "Custom8166710A": {
@@ -106,4 +109,4 @@
       ]
     }
   }
-}
+}
diff --git a/packages/@aws-cdk/aws-config/test/rule.test.ts b/packages/@aws-cdk/aws-config/test/rule.test.ts
@@ -101,6 +101,9 @@ describe('rule', () => {
 
     expect(stack).toHaveResource('AWS::Lambda::Permission', {
       Principal: 'config.amazonaws.com',
+      SourceAccount: {
+        Ref: 'AWS::AccountId',
+      },
     });
 
     expect(stack).toHaveResource('AWS::IAM::Role', {