By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Our goal is to access AWS services like SQS, S3 and SES etc. from lambda function

0

We have micro-service architecture. Each micro-service consist of more than 10+ lambda functions. In some of lambda function we want to use AWS SDK to access several AWS services like,

  • SQS
  • S3
  • SES and many more

There are several ways to do so, as suggested in some of articles,

  • Create IAM role each service wise (It will have access to specific service only E.g S3)
  • Create separate IAM role per lambda wise with specific access needed
  • Create IAM user and permanent access via Secret/Access keys with specific access each service wise

We approx have 500+ lambda function in our application. We need assistance/suggestion to identify best way to access AWS services from lambda considering security and other impacting factors like performance etc.

Not each lambda requires this access but few specific ones only. But that number is more than 50+ for sure.

So, creating separate Role/Access/Secret key would have few challenges like,

  • We need access of more than one service in some of the lambda function (E.g S3 and/or SQS and/or SES etc.) so for each combination we might have to create separate IAM User/Role for same
  • As we can not modify access policy of existing IAM User/Role which can allow same access to other lambdas too which is using same IAM Role/User to access specific service

So, what would be best approach to access AWS services for our use case? Also, please suggest if there is other way to do so.

Thanks in advance!!

Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
ServerlessAWS LambdaSecurity, Identity, & ComplianceAWS Identity and Access ManagementIAM Policies
Language
English
Manish Chauhan
asked 6 months ago183 views
1 Answer
0

The best approach, taking into consideration the least privilege principal, is to create an IAM Role per function. You did not mention this, but I assume you have more than one queue, more than one bucket, etc. and each function needs to access different queues/buckets. By having a role per function you can grant the function access only to the resources it actually need. Otherwise you will need to use : which is not recommended.

If you use infrastructure as code (as you should) such as SAM, CloudFromation, CDK, etc., the role creation should be part of the function creation.

profile pictureAWS
EXPERT
Uri
answered 6 months ago
  • Manish Chauhan
    6 months ago

    Thanks for your reply.

    Yes, we are having multiple SQS and S3 bucket etc. in our application and we need to access them from lambda functions.

    If we consider the least privilege principal, and create an IAM Role per function then in such case we will not be able to re-use existing role created for same access in other lambda function. For E.g, We have lambda A and lambda B For lambda A (We provide access to SQS push and S3 read) using separate role function wise For lambda B (We also requires same access of SQS push and S3 read considering same queue and bucket) Then, Will be able to use role created to lambda A for lambda B? Or it would be fine to create different role for both lambda with same kind of access permission?

    Regarding infrastructure as code we use 'CloudFromation', which I forgot to mention in my question details actually.

  • Uri EXPERT
    6 months ago

    Even though both function TODAY need the same permissions, things can change in the future. I would still recommend to use one role per function.

    If you make sure to create the roles in the same stack you create your functions, it make management of the roles easier. Also, if you use the Serverless Application Model (SAM) instead of using CloudFormation directly, you can define the role as part of the function definition itself.

  • Manish Chauhan
    6 months ago

    Thanks for your valuable response on helping us to identify best approach based on our use case.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content