AWS Lambda Permission Model - keshavbaweja-git/guides GitHub Wiki
Lambda supports resource based policies for functions and layers. Use resource based policies to grant access to
- AWS Services
- Other AWS accounts
aws lambda add-permission \
--function-name <fn-name> \
--action lambda:InvokeFunction \
--principal sns.amazon.com \
--statement-id sns
aws lambda add-permission \
--function-name <fn-name> \
--action lambda:InvokeFunction \
--principal sns.amazon.com \
--source-arn <arn:aws:sns:us-east-2:123456789012:my-topic>
--statement-id sns
aws lambda add-permission \
--function-name <fn-name> \
--action lambda:InvokeFunction \
--principal s3.amazon.com \
--source-arn <arn:aws:s3:::my-bucket-123456>
--source-account <acct-id>
--statement-id s3
aws lambda add-permission \
--function-name <fn-name> \
--action lambda:InvokeFunction \
--principal <other-acct-id> \
--statement-id x-account
Users in other account must have permission to invoke Lambda function for the above cross-account access to be effective.
aws lambda add-layer-version-permission \
--layer-name <layer-name> \
--version-number 1 \
--action lambda:GetLayerVersion \
--principal '*' \
--organization-id <org-id> \
--statement-id org-layer
Lambda supports IAM policies that be attached to users, roles and cross-account roles (roles that be assumed by other accounts)
- lambda:Principal: AddPermission, RemovePermission
- lambda:VpcIds, lambda:SubnetIds, lambda:SecurityGroupIds, lambda:Layer, lambda:CodeSigningConfigArn: CreateFunction, UpdateFunctionConfiguration