Add SourceAccount property to all S3-triggered Lambda and API Gateway Lambda permissions to prevent cross-account access

kris-szlapa · kris-szlapa · commit f224f7304385 · 2025-08-11T15:46:33.000Z
diff --git a/packages/cdk/constructs/RestApiGateway/LambdaEndpoint.ts b/packages/cdk/constructs/RestApiGateway/LambdaEndpoint.ts
@@ -1,7 +1,8 @@
 import {Construct} from "constructs"
 import {IResource, LambdaIntegration} from "aws-cdk-lib/aws-apigateway"
 import {HttpMethod} from "aws-cdk-lib/aws-lambda"
-import {IRole} from "aws-cdk-lib/aws-iam"
+import {IRole, ServicePrincipal} from "aws-cdk-lib/aws-iam"
+import {Aws} from "aws-cdk-lib"
 import {LambdaFunction} from "../LambdaFunction"
 
 export interface LambdaEndpointProps {
@@ -20,9 +21,20 @@ export class LambdaEndpoint extends Construct {
 
     const resource = props.parentResource.addResource(props.resourceName)
 
-    resource.addMethod(props.method, new LambdaIntegration(props.lambdaFunction.function, {
-      credentialsRole: props.restApiGatewayRole
-    }))
+    const integration = new LambdaIntegration(props.lambdaFunction.function, {
+      credentialsRole: props.restApiGatewayRole,
+      allowTestInvoke: false,
+      proxy: false
+    })
+    
+    resource.addMethod(props.method, integration)
+    
+    // Add source account to Lambda permission for NCSC compliance
+    props.lambdaFunction.function.addPermission(`ApiGatewayInvoke-${this.node.id}`, {
+      principal: new ServicePrincipal("apigateway.amazonaws.com"),
+      action: "lambda:InvokeFunction",
+      sourceAccount: Aws.ACCOUNT_ID
+    })
 
     props.restApiGatewayRole.addManagedPolicy(props.lambdaFunction.executionPolicy)
 
diff --git a/packages/cdk/constructs/S3LambdaNotification.ts b/packages/cdk/constructs/S3LambdaNotification.ts
@@ -1,7 +1,8 @@
 import {Construct} from "constructs"
-import {Bucket, EventType} from "aws-cdk-lib/aws-s3"
-import {LambdaDestination} from "aws-cdk-lib/aws-s3-notifications"
+import {Bucket, EventType, CfnBucket} from "aws-cdk-lib/aws-s3"
 import {Function as LambdaFunction} from "aws-cdk-lib/aws-lambda"
+import {Aws} from "aws-cdk-lib"
+import {ServicePrincipal} from "aws-cdk-lib/aws-iam"
 
 export interface S3LambdaNotificationProps {
   bucket: Bucket
@@ -12,11 +13,33 @@ export class S3LambdaNotification extends Construct {
   constructor(scope: Construct, id: string, props: S3LambdaNotificationProps) {
     super(scope, id)
 
-    const lambdaDestination = new LambdaDestination(props.lambdaFunction)
+    // Add source account to Lambda permission for NCSC compliance
+    props.lambdaFunction.addPermission(`S3Invoke-${this.node.id}`, {
+      principal: new ServicePrincipal("s3.amazonaws.com"),
+      action: "lambda:InvokeFunction",
+      sourceAccount: Aws.ACCOUNT_ID,
+      sourceArn: props.bucket.bucketArn
+    })
 
-    // Listen for all object events to keep knowledge base in sync
-    props.bucket.addEventNotification(EventType.OBJECT_CREATED, lambdaDestination)
-    props.bucket.addEventNotification(EventType.OBJECT_REMOVED, lambdaDestination)
-    props.bucket.addEventNotification(EventType.OBJECT_RESTORE_COMPLETED, lambdaDestination)
+    // Get the underlying CfnBucket to configure notifications directly
+    const cfnBucket = props.bucket.node.defaultChild as CfnBucket
+
+    // Configure notifications directly on the CfnBucket to avoid auto-permission creation
+    cfnBucket.notificationConfiguration = {
+      lambdaConfigurations: [
+        {
+          event: EventType.OBJECT_CREATED,
+          function: props.lambdaFunction.functionArn
+        },
+        {
+          event: EventType.OBJECT_REMOVED,
+          function: props.lambdaFunction.functionArn
+        },
+        {
+          event: EventType.OBJECT_RESTORE_COMPLETED,
+          function: props.lambdaFunction.functionArn
+        }
+      ]
+    }
   }
 }
