Config rule with custom lambda permission issue

1

I'm creating a config rule with custom lambda configuration but getting below error message. Error :** Before you add this rule, update your IAM permissions to allow the lambda:AddPermission action.**

could you please guide where we need to add these permission.

asked 2 months ago663 views
2 Answers
1

Hello.

I think you need to add "config.amazonaws.com" to Lambda's resource-based policy.
https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_nodejs.html#restricted-lambda-policy

aws lambda add-permission \
  --function-name InstanceTypeCheck \
  --statement-id "AddConfigPermission" \
  --action lambda:InvokeFunction \
  --principal config.amazonaws.com

I believe there needs to be a policy set on the IAM user you are using to allow "lambda:AddPermission".

profile picture
EXPERT
answered 2 months ago
  • I'm making changes with root user account which should have admin access. Also, I tried to Resource based access to Invoke function but still no luck.

  • I also tried setting it up in my AWS account, but I can't reproduce the same error. I think you can create a custom rule if you have properly configured Lambda's resource-based policy using the command below.

    aws lambda add-permission \
      --function-name InstanceTypeCheck \
      --statement-id "AddConfigPermission" \
      --action lambda:InvokeFunction \
      --principal config.amazonaws.com
    
0

Make sure you have proper IAM role for AWS Config with needed access to lambda and most importantly you have a resource based policy attached to your lambda function with permission as below :

aws lambda add-permission \ 
  --function-name <lambda function name> \
  --statement-id ConfigInvokePermission \
  --action lambda:InvokeFunction \
  --principal config.amazonaws.com \
  --source-arn arn:aws:config:<region>:<account number>:config-rule/* \
  --region <region>
answered 24 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions