- Newest
- Most votes
- Most comments
The issue you're experiencing with setting up an OnFailure destination for your Lambda function is related to the trust relationship policy of the associated IAM role. While your current policy is correctly set up for the Lambda function itself, it doesn't account for the additional permissions needed for event destinations.
When you configure an OnFailure destination, AWS Lambda needs broader permissions to handle the routing of failed events to the specified destination (such as an SNS topic, SQS queue, S3 bucket, or another Lambda function). This is why the API calls are failing and requesting that you add the Lambda service as a Trusted Entity.
To resolve this, you need to modify the trust relationship policy to allow the Lambda service to assume the role without the specific function ARN condition. Here's how the updated policy should look:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
This change allows the Lambda service as a whole to assume the role, which is necessary for managing event destinations.
However, I understand your concern about limiting access to the role. While you can't restrict the trust relationship to a specific function when using event destinations, you can still implement other security measures:
-
Use least privilege permissions in the role's policies, granting only the necessary actions for your function and its destinations.
-
Implement resource-based policies on the destination resources (e.g., SNS topics, SQS queues) to control which Lambda functions can interact with them.
-
Use AWS CloudTrail to monitor and audit the assumption of the role and any actions taken with it.
-
Regularly review and rotate IAM credentials.
These practices will help maintain a strong security posture while allowing the necessary flexibility for Lambda event destinations to function properly.
Sources
FunctionEventInvokeConfig - AWS Lambda
OnFailure - AWS Lambda
Create an IAM role and IoT rule for your destination - AWS IoT Wireless
You could try changing the trust policy to the following, with the placeholders replaced with the appropriate values:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ArnEqualsIfExists": { "aws:SourceArn": "arn:aws:lambda:<region>:<account_id>:function:<function_name>" }, "StringEquals": { "aws:SourceAccount": "<account_id>" } } } ] }
Using ArnEqualsIfExists
instead of ArnEquals
to compare the aws:SourceArn
condition key will block the role from being assumed when done in the context of a function other than the one you've specified, but it won't block the operation if no Lambda function is involved.
The StringEquals
comparison of the aws:SourceAccount
condition key should match also when the role is being assumed without directly involving any specific function, while still ensuring that the role is being assumed on behalf of your AWS account and not a different account.
Relevant content
- asked 2 years ago
- asked 5 days ago
- AWS OFFICIALUpdated a year ago
- What's the difference between Lambda function execution role permissions and invocation permissions?AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
Thank you for your answer. Unfortunately, that does not work either. Using this Trust policy, the API PutFunctionEventInvokeConfig still complains as before: "Please add Lambda as a Trusted Entity for arn:aws:iam::279254039230:role/get_cs_ssm_events". However, it's working fine if we configure just the Dead Letter Queue of the Lambda function.