Configuration security hardening: fix overly permissive CORS defaults and missing encryption configurations

[youming1970]

Hi terraform-aws-lambda maintainers,

Thank you for maintaining this essential Lambda deployment module — it's widely used across AWS serverless architectures.

While conducting a security review of the codebase, we identified several configuration security issues that could create vulnerabilities in production deployments:

1) Overly permissive CORS configuration in Lambda URL (P1)

Location: /main.tf lines 111-118

cors {
  allow_credentials = true
  allow_origins     = ["*"]      # Allows any origin
  allow_methods     = ["*"]      # Allows any HTTP method
}

Risk: Cross-origin attacks from malicious websites, potential data exfiltration and unauthorized access.

2) Missing default environment variable encryption (P2)

Location: /variables.tf lines 101-111

variable "kms_key_arn" {
  description = "KMS key for environment variable encryption"
  default     = ""               # No encryption by default
}

Risk: Sensitive configuration data in environment variables not encrypted with customer-managed keys.

3) CloudWatch logs unencrypted by default (P2)

Location: /variables.tf lines 51-55

variable "cloudwatch_logs_kms_key_arn" {
  description = "KMS Key for encrypting log data"
  default     = null             # No encryption by default
}

Risk: Lambda function logs may contain sensitive information stored unencrypted.

4) Unlimited concurrent executions by default (P2)

Location: /variables.tf lines 149-153

variable "reserved_concurrent_executions" {
  default     = -1               # Unlimited executions
}

Risk: Resource exhaustion, unexpected costs, or denial of service if function is triggered excessively.

5) Missing permissions boundary default (P2)

Location: /variables.tf lines 137-141

variable "permissions_boundary" {
  default     = ""               # No boundary by default
}

Risk: Lambda execution roles could be granted excessive permissions, violating least privilege.

Proposed security improvements:

CORS Security:

• Change default CORS to require explicit origin configuration
• Add validation to warn about wildcard usage
• Provide secure CORS configuration examples

Encryption Defaults:

• Encourage KMS encryption for environment variables by default
• Enable CloudWatch logs encryption by default
• Document security implications of encryption choices

Resource Limits:

• Set reasonable default concurrent execution limits
• Enable CloudWatch Lambda Insights by default for monitoring
• Document resource limit security considerations

IAM Security:

• Encourage permissions boundaries in documentation
• Provide least-privilege IAM policy examples
• Add security warnings for broad permissions

Happy to contribute:

• Security-focused default configurations
• Documentation updates with security warnings
• Validation rules for high-risk settings
• Examples of secure Lambda deployments

These improvements would help organizations deploy Lambda functions with security-first defaults while maintaining flexibility for specific requirements.

Thanks for considering these security enhancements to protect serverless deployments.