For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-mwf.md. A documentation index is available at /llms.txt.

Lambda function policies should not allow wildcard principals

lambda

Description

Lambda function resource policies should not grant access to wildcard principals (Principal: "*") without scoping conditions. An unconditional wildcard principal allows any AWS account or unauthenticated user to access the resource, creating a significant security risk. Wildcard principals scoped by policy conditions (such as aws:SourceAccount, aws:SourceArn, or aws:PrincipalOrgID) are not flagged, because the condition restricts effective access.

Remediation

Remove or restrict resource-based policy statements that grant access to wildcard principals. Alternatively, add scoping conditions that restrict access. For guidance, refer to Using resource-based policies for Lambda.