Posted On: Mar 11, 2022
AWS Lambda now supports the aws:PrincipalOrgID condition key in Lambda function resource-based policies. Customers can use resource-based policies for Lambda functions including specific version or alias to grant usage permissions for other AWS accounts or AWS services. The aws:PrincipalOrgID condition key is designed to control access to AWS resources by using the AWS organization of IAM principals. You can now use this condition key in the function resource-based policies to require all principals accessing Lambda functions to be from an account in the organization. Additionally, when you add and remove accounts, policies that include the aws:PrincipalOrgID key should automatically include the correct accounts and help minimize manual updating.
The aws:PrincipalOrgID key provides an alternative to listing all the account IDs for all AWS accounts in an organization. Previously, to restrict access for Lambda functions to only principals from AWS accounts inside of your organization, users had to individually add each AWS account ID to the resource-based policy. Now, you can specify the organization ID in the condition element of the Lambda’s resource-based policy.
You can start using this feature via AWS Console, CLI or AWS CloudFormation by passing your organization ID when adding permissions for a Lambda function including specific version or alias. Lambda will help generate the resource-based policy with the condition key aws:PrincipalOrgID using the value as your organization ID provided in the request.