#
#####################################
##           Gherkin               ##
#####################################
# Rule Identifier:
#    LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
#
# Description:
#    Checks if the AWS Lambda function policy attached to the Lambda resource prohibits public access.
#
# Reports on:
#    AWS::Lambda::Permission
#    AWS::Lambda::LayerVersionPermission
#
# Evaluates:
#    AWS CloudFormation
#
# Rule Parameters:
#    NA
#
# Scenarios:
# a) SKIP: when no AWS Lambda permission policies are present
# b) PASS: when all AWS Lambda permission policies prohibit public access
# c) FAIL: when any AWS Lambda permission policies allow public access
# d) SKIP: hen metadata includes the suppression for rule LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED

#
# Select all AWS Lambda Permission resources from incoming template (payload)
#
let aws_lambda_permissions_public_access_prohibited = Resources.*[
  Type in [ /AWS::Lambda::Permission/,
    /AWS::Lambda::LayerVersionPermission/ ]
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED"
]

rule LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED when %aws_lambda_permissions_public_access_prohibited !empty {

  # Lambda permission policy where principal is an account id
  %aws_lambda_permissions_public_access_prohibited {
    Type == 'AWS::Lambda::Permission'
    Properties {
      Principal in [ /^\d{12}$/, {"Ref":"AWS::AccountId"} ]
      OR Principal > 0
    }
  }

  # Lambda permission policy where principal is a service (not s3)
  OR %aws_lambda_permissions_public_access_prohibited {
    Type == 'AWS::Lambda::Permission'
    Properties {
      Principal != 's3.amazonaws.com'
      PrincipalOrgID !empty
      OR SourceAccount exists
      OR SourceArn !empty
      <<
        Violation: All Lambda permission policies attached to Lambda resources must prohibit public access.
        Fix: Limit permission policies by setting the Principal property to an account ID,
        or limiting a service principal by setting the SourceArn, SourceAccount, or PrincipalOrgID properties.
      >>
    }
  }

  # Lambda permission policy where principal is s3 service
  OR %aws_lambda_permissions_public_access_prohibited {
    Type == 'AWS::Lambda::Permission'
    Properties {
      Principal == 's3.amazonaws.com'
      PrincipalOrgID !empty
      OR SourceAccount exists
      <<
        Violation: All Lambda permission policies attached to Lambda resources must prohibit public access.
        Fix: Limit permission policies by setting the Principal property to an account ID,
        or for S3 as the principal specify either a SourceAccount or PrincipalOrgID.
        Note: It is possible for an S3 bucket to be deleted by its owner and recreated by another account.
      >>
    }
  }

  # Lambda layer version permission policies
  OR %aws_lambda_permissions_public_access_prohibited {
    Type == 'AWS::Lambda::LayerVersionPermission'
    Properties {
      OrganizationId !empty
      OR Principal in [ /^\d{12}$/, {"Ref":"AWS::AccountId"} ]
      OR Principal > 0
      <<
        Violation: All Lambda permission policies attached to Lambda resources must prohibit public access.
        Fix: For Lambda layer version permission policies, either limit permissions by the OrganizationId property
        or set the Principal property to an account ID rather than using a wildcard (*).
      >>
    }
  }
}