AWS Lambda Permission Model - keshavbaweja-git/guides GitHub Wiki

Resource based policies

Lambda supports resource based policies for functions and layers. Use resource based policies to grant access to

  • AWS Services
  • Other AWS accounts

Grant access to AWS Services (SNS)

aws lambda add-permission \
--function-name <fn-name> \
--action lambda:InvokeFunction \
--principal sns.amazon.com \
--statement-id sns 

Grant access to AWS Services (SNS), a particular topic

aws lambda add-permission \
--function-name <fn-name> \
--action lambda:InvokeFunction \
--principal sns.amazon.com \
--source-arn <arn:aws:sns:us-east-2:123456789012:my-topic>
--statement-id sns 

Grant access to AWS Services (S3), a particular bucket

aws lambda add-permission \
--function-name <fn-name> \
--action lambda:InvokeFunction \
--principal s3.amazon.com \
--source-arn <arn:aws:s3:::my-bucket-123456>
--source-account <acct-id>
--statement-id s3 

Grant access to other account

aws lambda add-permission \
--function-name <fn-name> \
--action lambda:InvokeFunction \
--principal <other-acct-id> \
--statement-id x-account 

Users in other account must have permission to invoke Lambda function for the above cross-account access to be effective.

Grant layer access to organization id

aws lambda add-layer-version-permission \
--layer-name <layer-name> \
--version-number 1 \
--action lambda:GetLayerVersion \
--principal '*' \
--organization-id <org-id> \
--statement-id org-layer 

Identity based IAM policies

Lambda supports IAM policies that be attached to users, roles and cross-account roles (roles that be assumed by other accounts)

IAM Conditions

  • lambda:Principal: AddPermission, RemovePermission
  • lambda:VpcIds, lambda:SubnetIds, lambda:SecurityGroupIds, lambda:Layer, lambda:CodeSigningConfigArn: CreateFunction, UpdateFunctionConfiguration
⚠️ **GitHub.com Fallback** ⚠️