How can I provide granular access to Lambda functions?

8 minute read
0

I want to grant read and write access to a specific AWS Lambda function that's identified by its Amazon Resource Name (ARN).

Short description

You can use AWS Identity and Access Management (IAM) policies to configure the permissions for Lambda functions to:

  • Create a Lambda function
  • Delete a Lambda function
  • View the configuration details of a Lambda function
  • Modify a Lambda function
  • Invoke a Lambda function
  • Monitor a Lambda function

In the following policy examples, Lambda API actions that support resource-level permissions are restricted to a specific Lambda function that's listed in the Resource element. A specific function name is used in the Condition element for API actions that support those elements.

API actions that don't support resource-level permissions require a wildcard ("*") in the Resource element, and can't apply any Lambda service-specific condition keys. For more information about IAM actions, resources, and conditions that are supported by Lambda, see Actions, resources, and condition keys for Lambda.

The value of a statement's Resource element uses the ARN to identify the resources that the statement applies to. For example, when the Action is Invoke, then the Resource is a function ARN. IAM matches this ARN against the ARN of the function that's identified by the FunctionName and Qualifier parameters of an Invoke request. For more information, see Lambda function versions.

Note: If you use multiple versions and aliases, you might need to include "arn:aws:lambda:region:AccountID:function:function_name:*" in the resource element.

Resolution

Follow these steps use IAM policies to configure permissions for Lambda functions.

In the following example IAM policies, replace AccountID, function_name, username, region, keyID, arn, role_name, S3BucketName, and FileName with your variables.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Permissions required to create a Lambda function

Both lambda:CreateFunction and iam:PassRole permissions are required to create a Lambda function using the AWS Command Line Interface (AWS CLI) or an SDK. For example policies, see Identity-based IAM policies for Lambda. The following policy allows the API caller to create a Lambda function and pass the IAM role as the Lambda execution role for the function. Then, the code is uploaded from your local machine:

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PermissionToCreateFunction",
      "Effect": "Allow",
      "Action": [
        "lambda:CreateFunction"
      ],
      "Resource": [
        "arn:aws:lambda:region:AccountID:function:function_name"
      ]
    },
    {
      "Sid": "PermissionToPassARole",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::AccountID:role/role_name"
    }
  ]
}

If you upload the code from an Amazon Simple Storage Service (Amazon S3) bucket, then add a policy to grant the required Amazon S3 permissions. Add a policy similar to the following example to the existing IAM policy:

...{
  "Sid": "PermissionToUploadCodeFromS3",
  "Effect": "Allow",
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::S3BucketName/FileName.zip"
}
...

Because the code can't be provided when the function is created in the Lambda console, additional API permissions are required. You must add read-level API actions and permission to view and update the function. Add a policy similar to the following to grant these permissions:

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PermissionsToViewFunctionsInConsole",
      "Effect": "Allow",
      "Action": [
        "lambda:ListFunctions",
        "lambda:GetAccountSettings"
      ],
      "Resource": "*"
    },
    {
      "Sid": "PermissionsToCreateAndUpdateFunction",
      "Effect": "Allow",
      "Action": [
        "lambda:CreateFunction",
        "lambda:GetFunction",
        "lambda:UpdateFunctionCode"
      ],
      "Resource": [
        "arn:aws:lambda:region:AccountID:function:function_name"
      ]
    },
    {
      "Sid": "PermissionToListExistingRoles",
      "Effect": "Allow",
      "Action": [
        "iam:ListRoles"
      ],
      "Resource": "*"
    },
    {
      "Sid": "PermissionToPassARole",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::AccountID:role/role_name"
    }
  ]
}

To create an IAM role during the Lambda function creation process, add additional IAM permissions similar to the following:

...{
  "Sid": "PermmissionsToCreateAndUpdateARole",
  "Effect": "Allow",
  "Action": [
    "iam:CreateRole",
    "iam:CreatePolicy",
    "iam:PutRolePolicy",
    "iam:AttachRolePolicy"
  ],
  "Resource": "*"
}
...

Permissions required to delete a Lambda function

To delete a Lambda function, add permissions similar to the following:

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PermissionToDeleteFunction",
      "Effect": "Allow",
      "Action": [
        "lambda:DeleteFunction"
      ],
      "Resource": [
        "arn:aws:lambda:region:AccountID:function:function_name"
      ]
    }
  ]
}

Note: Update the policy to include your relevant Region, account ID, function name, ARN, and so on.

To use the Lambda console to delete a function, add Lambda read access permissions similar to the following:

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PermissionsToViewFunctionsInConsole",
      "Effect": "Allow",
      "Action": [
        "lambda:ListFunctions",
        "lambda:GetAccountSettings"
      ],
      "Resource": "*"
    },
    {
      "Sid": "PermissionToDeleteFunction",
      "Effect": "Allow",
      "Action": [
        "lambda:DeleteFunction"
      ],
      "Resource": [
        "arn:aws:lambda:region:AccountID:function:function_name"
      ]
    }
  ]
}

Permissions required to view the configuration details of a Lambda function

To give a user permission to view the configuration details of a Lambda function, add permissions similar to the following:
Note: Based on the level of read access that you want to grant, you might need to grant all the permissions or just a subset of the permissions.

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ActionsWhichSupportResourceLevelPermissions",
      "Effect": "Allow",
      "Action": [
        "lambda:GetFunction",
        "lambda:GetFunctionConfiguration",
        "lambda:GetPolicy",
        "lambda:GetAlias",
        "lambda:ListVersionsByFunction",
        "lambda:ListAliases"
      ],
      "Resource": [
        "arn:aws:lambda:region:AccountID:function:function_name"
      ]
    },
    {
      "Sid": "ActionsWhichDoNotSupportResourceLevelPermissions",
      "Effect": "Allow",
      "Action": [
        "lambda:ListTags",
        "lambda:GetEventSourceMapping",
        "lambda:ListEventSourceMappings"
      ],
      "Resource": "*"
    }
  ]
}

To use the Lambda console to view the configuration details of a function, add permissions similar to the following:

...{
  "Sid": "PermissionsToViewFunctionsInConsole",
  "Effect": "Allow",
  "Action": [
    "lambda:ListFunctions",
    "lambda:GetAccountSettings"
  ],
  "Resource": "*"
}
...

The Lambda console uses tags on Lambda functions that allows you to filter Lambda functions by tags. To use the AWS Tagging Service, add permissions similar to the following:

...{
  "Sid": "PermissionsToFilterFunctionsByTags",
  "Effect": "Allow",
  "Action": [
     "tag:GetResources"
  ],
  "Resource": "*"
}
...

The Lambda console displays details about the IAM role that's associated with a Lambda function and the resources that the function's role has access to. To view these details, add permissions similar to the following:

...{
  "Sid": "PermissionsToViewRolesAndPolicies",
  "Effect": "Allow",
  "Action": [
    "iam:GetPolicy",
    "iam:GetPolicyVersion",
    "iam:GetRolePolicy",
    "iam:ListRoles",
    "iam:ListRolePolicies",
    "iam:ListAttachedRolePolicies"
  ],
  "Resource": "*"
}
...

Note: Based on your requirements and the services integrated with your Lambda function, you might need to grant additional permissions for other AWS services. For more information, see Lambda resource access permissions.

Permissions required to modify a Lambda function

To give a user permission to modify a Lambda function, add permissions similar to the following:
Note: Dependent on the level of write access that you want to grant, you might need to grant all or a subset of the following permissions.

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ActionsWhichSupportResourceLevelPermissions",
      "Effect": "Allow",
      "Action": [
        "lambda:AddPermission",
        "lambda:RemovePermission",
        "lambda:CreateAlias",
        "lambda:UpdateAlias",
        "lambda:DeleteAlias",
        "lambda:UpdateFunctionCode",
        "lambda:UpdateFunctionConfiguration",
        "lambda:PutFunctionConcurrency",
        "lambda:DeleteFunctionConcurrency",
        "lambda:PublishVersion"
      ],
      "Resource": "arn:aws:lambda:region:AccountID:function:function_name"
    },
    {
      "Sid": "ActionsWhichSupportCondition",
      "Effect": "Allow",
      "Action": [
        "lambda:CreateEventSourceMapping",
        "lambda:UpdateEventSourceMapping",
        "lambda:DeleteEventSourceMapping"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "lambda:FunctionArn": "arn:aws:lambda:region:AccountID:function:function_name"
        }
      }
    },
    {
      "Sid": "ActionsWhichDoNotSupportResourceLevelPermissions",
      "Effect": "Allow",
      "Action": [
        "lambda:UntagResource",
        "lambda:TagResource"
      ],
      "Resource": "*"
    }
  ]
}

You can use lambda:AddPermission and lambda:RemovePermission to a principal that is included in a passed policy to further restrict access. You can also limit lambda:UpdateEventSourceMapping and lambda:DeleteEventSourceMapping to a particular event source mapping. For more information, see Identity-based IAM policies for Lambda.

To specify a customer managed AWS Key Management Service (AWS KMS) key to encrypt environment variables, add additional KMS permissions. Use an IAM policy similar to the following:

...{
  "Sid": "PermissionsForCryptoOperations",
  "Effect": "Allow",
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:CreateGrant"
  ],
  "Resource": "arn:aws:kms:region:AccountID:key/keyID"
},
{
  "Sid": "PermissionsToListExistingKeys",
  "Effect": "Allow",
  "Action": [
    "kms:ListKeys",
    "kms:ListAliases"
  ],
  "Resource": "*"
}
...

To use the Lambda console to modify a Lambda function's configurations, add permissions similar to the following:

...{
  "Sid": "PermissionsToViewFunctionsInConsole",
  "Effect": "Allow",
  "Action": [
    "lambda:ListFunctions",
    "lambda:GetAccountSettings"
  ],
  "Resource": "*"
}
...

Permissions required to invoke a Lambda function

To manually invoke a Lambda function, add permissions similar to the following:

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PermissionToInvoke",
      "Effect": "Allow",
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:region:AccountID:function:function_name"
    }
  ]
}

To use the Lambda console to list Lambda functions, add permissions similar to the following:

...{
  "Sid": "PermissionsToViewFunctionsConfigInConsole",
  "Effect": "Allow",
  "Action": [
    "lambda:ListFunctions",
    "lambda:GetAccountSettings",
    "lambda:GetFunction"
  ],
  "Resource": "*"
}
...

To allow other services to invoke a Lambda function, use resource-based policies for Lambda. You can also use function policies to provide cross-account access to Lambda functions.

The following example policy allows a user from a different AWS account to manually invoke a Lambda function:

{  "Version": "2012-10-17",
  "Id": "default",
  "Statement": [
    {
      "Sid": "PermissionToInvoke",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ExternalAccountID:user/username"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:region:AccountID:function:function_name"
    }
  ]
}

Permissions required to monitor Lambda functions

To view Amazon CloudWatch metrics in the Monitoring view of the Lambda console, add permissions similar to the following:

{  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PermissionForCloudWatchMetrics",
       "Effect": "Allow",
       "Action": [
          "cloudwatch:GetMetricStatistics",
          "cloudwatch:GetMetricData"
        ],
        "Resource": "*"
     }
  ]
}

To grant permission to specific CloudWatch metrics and CloudWatch Logs Insights, see Amazon CloudWatch permissions reference and CloudWatch Logs permissions reference.