IAM permission for the new 'Download function' in Lambda console

Noticed AWS changed Lambda console UI yesterday to move the 'Export function' feature from Actions to a standalone 'Download function' button. But after that, some of our users are unable to download the function any more. What permission is required to use the Download function?

Here's the policy for those users. "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:ListStackResources", "cloudwatch:ListMetrics", "cloudwatch:GetMetricData", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "kms:ListAliases", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "iam:ListRoles", "lambda:", "logs:DescribeLogGroups", "states:DescribeStateMachine", "states:ListStateMachines", "tag:GetResources", "xray:GetTraceSummaries", "xray:BatchGetTraces" ], "Resource": [ "arn:aws:lambda::<account id>:function:<function name prefix>*" ], "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "true" } }