Remove source account from Lambda permissions

Author: kris-szlapa

packages/cdk/constructs/RestApiGateway/LambdaEndpoint.ts

@@ -1,8 +1,7 @@
 import {Construct} from "constructs"
 import {IResource, LambdaIntegration} from "aws-cdk-lib/aws-apigateway"
 import {HttpMethod} from "aws-cdk-lib/aws-lambda"
-import {IRole, ServicePrincipal} from "aws-cdk-lib/aws-iam"
-import {Aws} from "aws-cdk-lib"
+import {IRole} from "aws-cdk-lib/aws-iam"
 import {LambdaFunction} from "../LambdaFunction"
 
 export interface LambdaEndpointProps {
@@ -21,20 +20,9 @@ export class LambdaEndpoint extends Construct {
 
     const resource = props.parentResource.addResource(props.resourceName)
 
-    const integration = new LambdaIntegration(props.lambdaFunction.function, {
-      credentialsRole: props.restApiGatewayRole,
-      allowTestInvoke: false,
-      proxy: false
-    })
-    
-    resource.addMethod(props.method, integration)
-    
-    // Add source account to Lambda permission for NCSC compliance
-    props.lambdaFunction.function.addPermission(`ApiGatewayInvoke-${this.node.id}`, {
-      principal: new ServicePrincipal("apigateway.amazonaws.com"),
-      action: "lambda:InvokeFunction",
-      sourceAccount: Aws.ACCOUNT_ID
-    })
+    resource.addMethod(props.method, new LambdaIntegration(props.lambdaFunction.function, {
+      credentialsRole: props.restApiGatewayRole
+    }))
 
     props.restApiGatewayRole.addManagedPolicy(props.lambdaFunction.executionPolicy)
 

packages/cdk/constructs/S3LambdaNotification.ts

@@ -1,8 +1,7 @@
 import {Construct} from "constructs"
-import {Bucket, EventType, CfnBucket} from "aws-cdk-lib/aws-s3"
+import {Bucket, EventType} from "aws-cdk-lib/aws-s3"
+import {LambdaDestination} from "aws-cdk-lib/aws-s3-notifications"
 import {Function as LambdaFunction} from "aws-cdk-lib/aws-lambda"
-import {Aws} from "aws-cdk-lib"
-import {ServicePrincipal} from "aws-cdk-lib/aws-iam"
 
 export interface S3LambdaNotificationProps {
   bucket: Bucket
@@ -13,33 +12,11 @@ export class S3LambdaNotification extends Construct {
   constructor(scope: Construct, id: string, props: S3LambdaNotificationProps) {
     super(scope, id)
 
-    // Add source account to Lambda permission for NCSC compliance
-    props.lambdaFunction.addPermission(`S3Invoke-${this.node.id}`, {
-      principal: new ServicePrincipal("s3.amazonaws.com"),
-      action: "lambda:InvokeFunction",
-      sourceAccount: Aws.ACCOUNT_ID,
-      sourceArn: props.bucket.bucketArn
-    })
+    const lambdaDestination = new LambdaDestination(props.lambdaFunction)
 
-    // Get the underlying CfnBucket to configure notifications directly
-    const cfnBucket = props.bucket.node.defaultChild as CfnBucket
-
-    // Configure notifications directly on the CfnBucket to avoid auto-permission creation
-    cfnBucket.notificationConfiguration = {
-      lambdaConfigurations: [
-        {
-          event: EventType.OBJECT_CREATED,
-          function: props.lambdaFunction.functionArn
-        },
-        {
-          event: EventType.OBJECT_REMOVED,
-          function: props.lambdaFunction.functionArn
-        },
-        {
-          event: EventType.OBJECT_RESTORE_COMPLETED,
-          function: props.lambdaFunction.functionArn
-        }
-      ]
-    }
+    // Listen for all object events to keep knowledge base in sync
+    props.bucket.addEventNotification(EventType.OBJECT_CREATED, lambdaDestination)
+    props.bucket.addEventNotification(EventType.OBJECT_REMOVED, lambdaDestination)
+    props.bucket.addEventNotification(EventType.OBJECT_RESTORE_COMPLETED, lambdaDestination)
   }
 }