I want to grant read and write access to a specific AWS Lambda function that is identified by its Amazon Resource Name (ARN). How can I provide granular access to Lambda functions?

You can configure the permissions for Lambda functions using AWS Identity and Access Management (IAM) policies to:

  1. Create a Lambda function
  2. Delete a Lambda function
  3. View the configuration details of a Lambda function
  4. Modify a Lambda function
  5. Invoke a Lambda function
  6. Monitor a Lambda function

In the following policy examples, Lambda APIs that support resource-level permissions are restricted to a specific Lambda function that is listed in the "Resource" element of each statement, and a specific function name is used in the "Condition" element for APIs that support those elements. APIs that do not support resource-level permissions require "*" in the "Resource" element, and these APIs can't apply any Lambda service-specific condition keys. For more information about IAM actions, resources, and conditions that are supported by Lambda, see Actions, Resources, and Condition Keys for AWS Lambda.

The value of a statement's "Resource" property uses the ARN to identify the resources that the statement applies to. For example, when the "Action" is "Invoke," then the "Resource" is a function ARN. IAM matches this ARN against the ARN of the function that is identified by the "FunctionName" and "Qualifier" parameters of an "Invoke" request. For more information, see Versioning, Aliases, and Resource Policies. Note: If you use multiple versions and aliases, you might need to include "arn:aws:lambda:region:AccountID:function:function_name:*" in the resource element.

1. Permissions required to create a Lambda function

Both lambda:CreateFunction and iam:PassRole permissions are required to create a Lambda function using the AWS Command Line Interface (AWS CLI) or an SDK. For example policies, see Using Identity-Based Policies (IAM Policies) for AWS Lambda. The following policy allows the API caller to create a Lambda function, pass the IAM role as the Lambda execution role for the function, and then upload the code from your local machine:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionToCreateFunction",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction"
            ],
            "Resource": [
                "arn:aws:lambda:region:AccountID:function:function_name"
            ]
        },
        {
            "Sid": "PermissionToPassARole",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::AccountID:role/role_name"
        }
    ]
}

Note: Update the policy to include your relevant region, account ID, function name, ARN, and so on.

If you Upload the Code from an Amazon Simple Storage Service (Amazon S3) bucket, add a policy snippet similar to the following to the existing IAM policy to grant the required permissions for Amazon S3:

...
{
    "Sid": "PermissionToUploadCodeFromS3",
    "Effect": "Allow",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::S3BucketName/FileName.zip"
}
...

Note: Update the policy to include your relevant S3 bucket and file names.

Because the code can't be provided when the function is created in the Lambda console, API permissions—such as read-level APIs and permission to view and update the function—are required. Add a policy similar to the following to grant these permissions:

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionsToViewFunctionsInConsole",
            "Effect": "Allow",
            "Action": [
                "lambda:ListFunctions",
                "lambda:GetAccountSettings"
            ],
            "Resource": "*"
        },
        {
            "Sid": "PermissionsToCreateAndUpdateFunction",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "lambda:GetFunction",
                "lambda:UpdateFunctionCode"
            ],
            "Resource": [
                "arn:aws:lambda:region:AccountID:function:function_name"
            ]
        },
        {
            "Sid": "PermissionToListExistingRoles",
            "Effect": "Allow",
            "Action": [
                "iam:ListRoles"
            ],
            "Resource": "*"
        },
        {
            "Sid": "PermissionToPassARole",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::AccountID:role/role_name"
        }
    ]
}

Note: Update the policy to include your relevant region, account ID, function name, ARN, and so on.

To create an IAM role during the Lambda function creation process, add additional IAM permissions similar to the following:

...
{
    "Sid": "PermmissionsToCreateAndUpdateARole",
    "Effect": "Allow",
    "Action": [
        "iam:CreateRole",
        "iam:CreatePolicy",
        "iam:PutRolePolicy",
        "iam:AttachRolePolicy"
    ],
    "Resource": "*"
}
...

2. Permissions required to delete a Lambda function

To delete a Lambda function using the AWS CLI or an SDK, add permissions similar to the following:  

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionToDeleteFunction",
            "Effect": "Allow",
            "Action": [
                "lambda:DeleteFunction"
            ],
            "Resource": [
                "arn:aws:lambda:region:AccountID:function:function_name"
            ]
        }
    ]
}

Note: Update the policy to include your relevant region, account ID, function name, ARN, and so on.

To delete a Lambda function using the Lambda console, add Lambda read-access permissions similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionsToViewFunctionsInConsole",
            "Effect": "Allow",
            "Action": [
                "lambda:ListFunctions",
                "lambda:GetAccountSettings"
            ],
            "Resource": "*"
        },
        {
            "Sid": " PermissionToDeleteFunction",
            "Effect": "Allow",
            "Action": [
                "lambda:DeleteFunction"
            ],
            "Resource": [
                "arn:aws:lambda:region:AccountID:function:function_name"
            ]
        }
    ]
}

Note: Update the policy to include your relevant region, account ID, function name, ARN, and so on.

3. Permissions required to view the configuration details of a Lambda function

Users can use Lambda APIs to view the configuration details about a function. The following policy demonstrates how these APIs can be restricted to a specific Lambda function. Depending upon the level of read access that you want to grant, you might need to grant all or a subset of following permissions when using the AWS CLI or an SDK:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ActionsWhichSupportResourceLevelPermissions",
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration",
                "lambda:GetPolicy",
                "lambda:GetAlias",
                "lambda:ListVersionsByFunction",
                "lambda:ListAliases"
            ],
            "Resource": [
                "arn:aws:lambda:region:AccountID:function:function_name"
            ]
        },
        {
            "Sid": "ActionsWhichDoNotSupportResourceLevelPermissions",
            "Effect": "Allow",
            "Action": [
                "lambda:ListTags",
                "lambda:GetEventSourceMapping",
                "lambda:ListEventSourceMappings"
            ],
            "Resource": "*"
        }
    ]
}

Note: Update the policy to include your relevant region, account ID, function name, ARN, and so on.

To view the configuration details of a function by using the Lambda console, add permissions similar to the following:

...
{
    "Sid": "PermissionsToViewFunctionsInConsole",
    "Effect": "Allow",
    "Action": [
        "lambda:ListFunctions",
        "lambda:GetAccountSettings"
    ],
    "Resource": "*"
}
...

The Lambda console displays details about the IAM role that is associated with a Lambda function and the resources that the function's IAM role has access to. To view these details, add permissions similar to the following:

...
{
    "Sid": "PermissionsToViewRolesAndPolicies",
    "Effect": "Allow",
    "Action": [
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam: GetRolePolicy",
        "iam:ListRoles",
        "iam:ListRolePolicies",
        "iam:ListAttachedRolePolicies"
    ],
    "Resource": "*"
}
...

Note: Depending upon your requirements and the services integrated with your Lambda function, you might need to grant additional permissions for other AWS services. For more information, see Permissions Required to Use the AWS Lambda Console.

4. Permissions required to modify a Lambda function

Users can also use Lambda APIs to change the configuration of functions. The following policy demonstrates how these APIs can be restricted to a specific Lambda function. Depending upon the level of write access that you want to grant, you might need to grant all or a subset of the following permissions when using the AWS CLI or an SDK:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": " ActionsWhichSupportResourceLevelPermissions",
            "Effect": "Allow",
            "Action": [
                "lambda:AddPermission",
                "lambda:RemovePermission",
                "lambda:CreateAlias",
                "lambda:UpdateAlias",
                "lambda:DeleteAlias",
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration",
                "lambda:PutFunctionConcurrency",
                "lambda:DeleteFunctionConcurrency",
                "lambda:PublishVersion"
            ],
            "Resource": "arn:aws:lambda:region:AccountID:function:function_name"
        },
        {
            "Sid": " ActionsWhichSupportCondition",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateEventSourceMapping",
                "lambda:UpdateEventSourceMapping",
                "lambda:DeleteEventSourceMapping"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "lambda:FunctionArn": "arn:aws:lambda:region:AccountID:function:function_name"
                }
            }
        },
        {
            "Sid": "ActionsWhichDoNotSupportResourceLevelPermissions",
            "Effect": "Allow",
            "Action": [
                "lambda:UntagResource",
                "lambda:TagResource"
            ],
            "Resource": "*"
        }
    ]
}

Note: Update the policy to include your relevant region, account ID, function name, ARN, and so on.

You can further restrict access using "lambda:AddPermission" and "lambda:RemovePermission" to a principal that is included in a passed policy. You can also limit "lambda:UpdateEventSourceMapping" and "lambda:DeleteEventSourceMapping" to a particular event source mapping. For more information, see Lambda API Permissions: Actions, Resources, and Conditions Reference.

To specify a customer-managed AWS Key Management Service (AWS KMS) key to encrypt environment variables, add additional KMS permissions by using an IAM policy snippet similar to the following:

...
{
    "Sid": "PermissionsForCryptoOperations",
    "Effect": "Allow",
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:CreateGrant"
    ],
    "Resource": "arn:aws:kms:region:AccountID:key/keyID"
},
{
    "Sid": "PermissionsToListExistingKeys",
    "Effect": "Allow",
    "Action": [
        "kms:ListKeys",
        "kms:ListAliases"
    ],
    "Resource": "*"
}
...

Note: Update the policy to include your relevant region, account ID, function name, ARN, and so on.

To modify a Lambda function's configurations using the Lambda console, add permissions similar to the following:

...
{
    "Sid": "PermissionsToViewFunctionsInConsole",
    "Effect": "Allow",
    "Action": [
        "lambda:ListFunctions",
        "lambda:GetAccountSettings"
    ],
    "Resource": "*"
}
...

5. Permissions required to invoke a Lambda function

To manually invoke a Lambda function for testing purposes using the AWS CLI or an SDK, add permissions similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionToInvoke",
            "Effect": "Allow",
            "Action": "lambda:InvokeFunction",
            "Resource": "arn:aws:lambda:region:AccountID:function:function_name"
        }
    ]
}

Note: Update the policy to include your relevant region, account ID, function name, ARN, and so on.

To list Lambda functions using the Lambda console, add permissions similar to the following:  

...
{
    "Sid": "PermissionsToViewFunctionsConfigInConsole",
    "Effect": "Allow",
    "Action": [
        "lambda:ListFunctions",
        "lambda:GetAccountSettings",
        "lambda:GetFunction"
    ],
    "Resource": "*"
}
...

To allow other services to invoke a Lambda function, Use Resource-Based Policies for AWS Lambda (Lambda Function Policies). You can also use function policies to provide cross-account access to Lambda functions. The following example policy can be used to allow a user from a different AWS account to manually invoke a Lambda function:

{
    "Version": "2012-10-17",
    "Id": "default",
    "Statement": [
        {
            "Sid": "PermissionToInvoke",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ExternalAccountID:user/username"
            },
            "Action": "lambda:InvokeFunction",
            "Resource": "arn:aws:lambda:region:AccountID:function:function_name"
        }
    ]
}

Note: Update the policy to include your relevant region, account ID, function name, ARN, and so on.

6. Permissions required to monitor Lambda functions

To view Amazon CloudWatch metrics in the Monitoring view of the Lambda console, add permissions similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionForCloudWatchMetrics",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:GetMetricStatistics"
            ],
            "Resource": "*"
        }
    ]
}

To grant permission to specific CloudWatch metrics, see Amazon CloudWatch Permissions Reference.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-06-13