By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Lambda event destinations and IAM roles Trust relationship policies

0

Hello,

I have a Lambda function that is called asynchronously. With this lambda function is associated a role with a trust relationship policy that allows only this lambda function to assume it, like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "ArnEquals": {
                    "aws:SourceArn": "arn:aws:lambda:<region>:<account_id>:function:<function_name>"
                }
            }
        }
    ]
}

It's working well.

Now, to manage the lambda failures, I want to create an OnFailure destination. But I can't. The API calls PutFunctionEventInvokeConfig or UpdateFunctionEventInvokeConfig fail at the validation of the Trust Relationship policy, stating that I need to add the Lambda service as a Trusted Entities.

Does someone know why a destination configuration needs the role to be accessible by the entire Lambda service and if there are still ways to limit what can access this role please?

2 Answers
0
Accepted Answer

The issue you're experiencing with setting up an OnFailure destination for your Lambda function is related to the trust relationship policy of the associated IAM role. While your current policy is correctly set up for the Lambda function itself, it doesn't account for the additional permissions needed for event destinations.

When you configure an OnFailure destination, AWS Lambda needs broader permissions to handle the routing of failed events to the specified destination (such as an SNS topic, SQS queue, S3 bucket, or another Lambda function). This is why the API calls are failing and requesting that you add the Lambda service as a Trusted Entity.

To resolve this, you need to modify the trust relationship policy to allow the Lambda service to assume the role without the specific function ARN condition. Here's how the updated policy should look:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

This change allows the Lambda service as a whole to assume the role, which is necessary for managing event destinations.

However, I understand your concern about limiting access to the role. While you can't restrict the trust relationship to a specific function when using event destinations, you can still implement other security measures:

  1. Use least privilege permissions in the role's policies, granting only the necessary actions for your function and its destinations.

  2. Implement resource-based policies on the destination resources (e.g., SNS topics, SQS queues) to control which Lambda functions can interact with them.

  3. Use AWS CloudTrail to monitor and audit the assumption of the role and any actions taken with it.

  4. Regularly review and rotate IAM credentials.

These practices will help maintain a strong security posture while allowing the necessary flexibility for Lambda event destinations to function properly.

Sources
FunctionEventInvokeConfig - AWS Lambda
OnFailure - AWS Lambda
Create an IAM role and IoT rule for your destination - AWS IoT Wireless

profile picture
answered 13 days ago
profile picture
EXPERT
reviewed 13 days ago
0

You could try changing the trust policy to the following, with the placeholders replaced with the appropriate values:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "ArnEqualsIfExists": {
          "aws:SourceArn": "arn:aws:lambda:<region>:<account_id>:function:<function_name>"
        },
        "StringEquals": {
          "aws:SourceAccount": "<account_id>"
        }
      }
    }
  ]
}

Using ArnEqualsIfExists instead of ArnEquals to compare the aws:SourceArn condition key will block the role from being assumed when done in the context of a function other than the one you've specified, but it won't block the operation if no Lambda function is involved.

The StringEquals comparison of the aws:SourceAccount condition key should match also when the role is being assumed without directly involving any specific function, while still ensuring that the role is being assumed on behalf of your AWS account and not a different account.

EXPERT
answered 11 days ago
  • Thank you for your answer. Unfortunately, that does not work either. Using this Trust policy, the API PutFunctionEventInvokeConfig still complains as before: "Please add Lambda as a Trusted Entity for arn:aws:iam::279254039230:role/get_cs_ssm_events". However, it's working fine if we configure just the Dead Letter Queue of the Lambda function.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions