cloudformation-coverage-roadmap icon indicating copy to clipboard operation
cloudformation-coverage-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws-cloudformation

[AWS::Lambda::Function] - [BUG] - False-positive drift for `Code/SourceKMSKeyArn`

Open r-heimann opened this issue 5 months ago • 0 comments

Name of the resource

AWS::Lambda::Function

Resource Name

No response

Issue Description

We found a false-positive CloudFormation drift for

  Lambda:
    Type: AWS::Lambda::Function
    Properties:
      Role: !GetAtt LambdaRole.Arn
      Handler: index.lambda_handler
      Runtime: python3.13
      Timeout: 120
      LoggingConfig:
        LogGroup: !Ref LambdaLogGroup
      MemorySize: 128
      Architectures:
        - arm64
      Code:
        SourceKMSKeyArn: !GetAtt KMSKey.Arn # <--------------------------
        ZipFile: |
          def lambda_handler(event, context):

              print("Test")
Property Change Expected value Current value
Code REMOVE {"SourceKMSKeyArn":"arn:aws:kms:..."} -

Expected Behavior

CloudFormation Drift Detection is able to find the configuration.

Observed Behavior

It doesn't work.

Test Cases

AWSTemplateFormatVersion: 2010-09-09
Description: Test

Resources:
  KMSKey:
    Type: AWS::KMS::Key
    Properties:
      KeyPolicy:
        Version: 2012-10-17
        Id: !Sub "${AWS::AccountId}-${AWS::StackName}"
        Statement:
          - Sid: "Allow root"
            Effect: Allow
            Action: kms:*
            Resource: "*"
            Principal:
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
          - Sid: "Lambda: Allow Lambda to access KMS Key."
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action:
              - kms:GenerateDataKey
              - kms:Decrypt
            Resource: "*"
            Condition:
              StringLike:
                kms:EncryptionContext:aws:lambda:FunctionArn: !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:*"

  LambdaRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: "InlinePolicy"
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: "LogAccess"
                Effect: Allow
                Action:
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: !GetAtt LambdaLogGroup.Arn

  Lambda:
    Type: AWS::Lambda::Function
    Properties:
      Role: !GetAtt LambdaRole.Arn
      Handler: index.lambda_handler
      Runtime: python3.13
      Timeout: 120
      LoggingConfig:
        LogGroup: !Ref LambdaLogGroup
      MemorySize: 128
      Architectures:
        - arm64
      Code:
        SourceKMSKeyArn: !GetAtt KMSKey.Arn
        ZipFile: |
          def lambda_handler(event, context):

              print("Test")

  LambdaLogGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Sub "/${AWS::StackName}/Lambda"
      RetentionInDays: 30

Other Details

No response

r-heimann avatar May 26 '25 10:05 r-heimann