chore(lza-sample-config): enhance SCP statements for invocation of Lambda functions

johnraws · johnraws · commit 6fb5259d7f9b · 2024-08-09T09:03:26.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - chore: upgrade github action to node20
 
+### Configuration Changes
+
+- chore(lza-sample-config): enhance SCP statements for invocation of Lambda functions
+
 ## [1.9.0] - 07-25-2024
 
 ### Added
diff --git a/reference/sample-configurations/lza-sample-config-govcloud-us/govcloud-us-config/service-control-policies/guardrails-1.json b/reference/sample-configurations/lza-sample-config-govcloud-us/govcloud-us-config/service-control-policies/guardrails-1.json
@@ -32,6 +32,7 @@
         "lambda:DeleteEventSourceMapping",
         "lambda:DeleteFunction",
         "lambda:DeleteFunctionConcurrency",
+        "lambda:Invoke*",
         "lambda:PutFunctionConcurrency",
         "lambda:RemovePermission",
         "lambda:UpdateEventSourceMapping",
diff --git a/reference/sample-configurations/lza-sample-config/service-control-policies/guardrails-1.json b/reference/sample-configurations/lza-sample-config/service-control-policies/guardrails-1.json
@@ -32,6 +32,7 @@
         "lambda:DeleteEventSourceMapping",
         "lambda:DeleteFunction",
         "lambda:DeleteFunctionConcurrency",
+        "lambda:Invoke*",
         "lambda:PutFunctionConcurrency",
         "lambda:RemovePermission",
         "lambda:UpdateEventSourceMapping",
diff --git a/source/packages/@aws-accelerator/accelerator/test/configs/all-enabled-delegated-admin/service-control-policies/guardrails-1.json b/source/packages/@aws-accelerator/accelerator/test/configs/all-enabled-delegated-admin/service-control-policies/guardrails-1.json
@@ -32,6 +32,7 @@
         "lambda:DeleteEventSourceMapping",
         "lambda:DeleteFunction",
         "lambda:DeleteFunctionConcurrency",
+        "lambda:Invoke*",
         "lambda:PutFunctionConcurrency",
         "lambda:RemovePermission",
         "lambda:UpdateEventSourceMapping",
diff --git a/source/packages/@aws-accelerator/accelerator/test/configs/all-enabled-ou-targets/service-control-policies/guardrails-1.json b/source/packages/@aws-accelerator/accelerator/test/configs/all-enabled-ou-targets/service-control-policies/guardrails-1.json
@@ -32,6 +32,7 @@
         "lambda:DeleteEventSourceMapping",
         "lambda:DeleteFunction",
         "lambda:DeleteFunctionConcurrency",
+        "lambda:Invoke*",
         "lambda:PutFunctionConcurrency",
         "lambda:RemovePermission",
         "lambda:UpdateEventSourceMapping",
diff --git a/source/packages/@aws-accelerator/accelerator/test/configs/all-enabled/service-control-policies/guardrails-1.json b/source/packages/@aws-accelerator/accelerator/test/configs/all-enabled/service-control-policies/guardrails-1.json
@@ -32,6 +32,7 @@
         "lambda:DeleteEventSourceMapping",
         "lambda:DeleteFunction",
         "lambda:DeleteFunctionConcurrency",
+        "lambda:Invoke*",
         "lambda:PutFunctionConcurrency",
         "lambda:RemovePermission",
         "lambda:UpdateEventSourceMapping",
diff --git a/source/packages/@aws-accelerator/accelerator/test/configs/snapshot-only/service-control-policies/guardrails-1.json b/source/packages/@aws-accelerator/accelerator/test/configs/snapshot-only/service-control-policies/guardrails-1.json
@@ -32,6 +32,7 @@
         "lambda:DeleteEventSourceMapping",
         "lambda:DeleteFunction",
         "lambda:DeleteFunctionConcurrency",
+        "lambda:Invoke*",
         "lambda:PutFunctionConcurrency",
         "lambda:RemovePermission",
         "lambda:UpdateEventSourceMapping",
