-
Notifications
You must be signed in to change notification settings - Fork 169
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update lambda permission to include the SourceAccount #488
Comments
This is a slightly harder problem than it looks like. Many organizations use cross-account access for their Config-Lambda communication. In these cases, a static I think it's a worthy goal, but should be opt-in instead of always-on. |
I can agree with that. Setting a principal org id on the lambda permission would work well for a multi-account setup like the one in this blog post: https://aws.amazon.com/blogs/mt/aws-config-rdk-multi-account-and-multi-region-deployment/. That way only accounts in the org can invoke the lambda function. I'm not familiar with the repo enough to make a suggestion on how to make this field optional but I support the effort 👍 |
The lambda permission that gets created should prohibit public access. When setting 'Principal' to a service principal (for example, config.amazonaws.com), provide the 'SourceAccount' field as well.
The text was updated successfully, but these errors were encountered: