How can I provide granular access to Lambda functions?

Last updated: 2019-12-06

I want to grant read and write access to a specific AWS Lambda function that's identified by its Amazon Resource Name (ARN). How can I provide granular access to Lambda functions?

Short Description

You can configure the permissions for Lambda functions using AWS Identity and Access Management (IAM) policies to:

  • Create a Lambda function
  • Delete a Lambda function
  • View the configuration details of a Lambda function
  • Modify a Lambda function
  • Invoke a Lambda function
  • Monitor a Lambda function

In the following policy examples, Lambda API actions that support resource-level permissions are restricted to a specific Lambda function that is listed in the Resource element of each statement. A specific function name is used in the Condition element for API actions that support those elements.

API actions that don't support resource-level permissions require a wildcard ("*") in the Resource element, and can't apply any Lambda service-specific condition keys. For more information about IAM actions, resources, and conditions that are supported by Lambda, see Actions, Resources, and Condition Keys for AWS Lambda.

The value of a statement's Resource element uses the ARN to identify the resources that the statement applies to. For example, when the Action is Invoke, then the Resource is a function ARN. IAM matches this ARN against the ARN of the function that's identified by the FunctionName and Qualifier parameters of an Invoke request. For more information, see Versioning, Aliases, and Resource Policies.

Note: If you use multiple versions and aliases, you might need to include "arn:aws:lambda:region:AccountID:function:function_name:*" in the resource element.

Resolution

Permissions required to create a Lambda function

Both lambda:CreateFunction and iam:PassRole permissions are required to create a Lambda function using the AWS Command Line Interface (AWS CLI) or an SDK. For example policies, see Using Identity-based IAM Policies for AWS Lambda. The following policy allows the API caller to create a Lambda function, pass the IAM role as the Lambda execution role for the function, and then upload the code from your local machine:  

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionToCreateFunction",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction"
            ],
            "Resource": [
                "arn:aws:lambda:region:AccountID:function:function_name"
            ]
        },
        {
            "Sid": "PermissionToPassARole",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::AccountID:role/role_name"
        }
    ]
}

Note: Update the policy to include your relevant Region, account ID, function name, ARN, and so on.

If you Upload the Code from an Amazon Simple Storage Service (Amazon S3) bucket, add a policy similar to the following to the existing IAM policy to grant the required permissions for Amazon S3:

...
{
    "Sid": "PermissionToUploadCodeFromS3",
    "Effect": "Allow",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::S3BucketName/FileName.zip"
}
...

Note: Update the policy to include your relevant S3 bucket and file names.

Because the code can't be provided when the function is created in the Lambda console, API permissions, such as read-level API actions and permission to view and update the function, are required. Add a policy similar to the following to grant these permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionsToViewFunctionsInConsole",
            "Effect": "Allow",
            "Action": [
                "lambda:ListFunctions",
                "lambda:GetAccountSettings"
            ],
            "Resource": "*"
        },
        {
            "Sid": "PermissionsToCreateAndUpdateFunction",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "lambda:GetFunction",
                "lambda:UpdateFunctionCode"
            ],
            "Resource": [
                "arn:aws:lambda:region:AccountID:function:function_name"
            ]
        },
        {
            "Sid": "PermissionToListExistingRoles",
            "Effect": "Allow",
            "Action": [
                "iam:ListRoles"
            ],
            "Resource": "*"
        },
        {
            "Sid": "PermissionToPassARole",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam::AccountID:role/role_name"
        }
    ]
}

Note: Update the policy to include your relevant Region, account ID, function name, ARN, and so on.

To create an IAM role during the Lambda function creation process, add additional IAM permissions similar to the following:

...
{
    "Sid": "PermmissionsToCreateAndUpdateARole",
    "Effect": "Allow",
    "Action": [
        "iam:CreateRole",
        "iam:CreatePolicy",
        "iam:PutRolePolicy",
        "iam:AttachRolePolicy"
    ],
    "Resource": "*"
}
...

Permissions required to delete a Lambda function

To delete a Lambda function using the AWS CLI or an SDK, add permissions similar to the following:  

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionToDeleteFunction",
            "Effect": "Allow",
            "Action": [
                "lambda:DeleteFunction"
            ],
            "Resource": [
                "arn:aws:lambda:region:AccountID:function:function_name"
            ]
        }
    ]
}

Note: Update the policy to include your relevant Region, account ID, function name, ARN, and so on.

To delete a Lambda function using the Lambda console, add Lambda read access permissions similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionsToViewFunctionsInConsole",
            "Effect": "Allow",
            "Action": [
                "lambda:ListFunctions",
                "lambda:GetAccountSettings"
            ],
            "Resource": "*"
        },
        {
            "Sid": "PermissionToDeleteFunction",
            "Effect": "Allow",
            "Action": [
                "lambda:DeleteFunction"
            ],
            "Resource": [
                "arn:aws:lambda:region:AccountID:function:function_name"
            ]
        }
    ]
}

Note: Update the policy to include your relevant Region, account ID, function name, ARN, and so on.

Permissions required to view the configuration details of a Lambda function

To give a user permission to view the configuration details of a Lambda function, add permissions similar to the following:

Note: Depending upon the level of read access that you want to grant, you might need to grant all or a subset of following permissions when using the AWS CLI or an SDK.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ActionsWhichSupportResourceLevelPermissions",
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration",
                "lambda:GetPolicy",
                "lambda:GetAlias",
                "lambda:ListVersionsByFunction",
                "lambda:ListAliases"
            ],
            "Resource": [
                "arn:aws:lambda:region:AccountID:function:function_name"
            ]
        },
        {
            "Sid": "ActionsWhichDoNotSupportResourceLevelPermissions",
            "Effect": "Allow",
            "Action": [
                "lambda:ListTags",
                "lambda:GetEventSourceMapping",
                "lambda:ListEventSourceMappings"
            ],
            "Resource": "*"
        }
    ]
}

Note: Update the policy to include your relevant Region, account ID, function name, ARN, and so on.

To view the configuration details of a function by using the Lambda console, add permissions similar to the following:

...
{
    "Sid": "PermissionsToViewFunctionsInConsole",
    "Effect": "Allow",
    "Action": [
        "lambda:ListFunctions",
        "lambda:GetAccountSettings"
    ],
    "Resource": "*"
}
...

The Lambda console uses the AWS Tagging Service allowing you to filter Lambda functions by tags. To use the AWS Tagging Service, add permissions similar to the following:

...
{
    "Sid": "PermissionsToFilterFunctionsByTags",
    "Effect": "Allow",
    "Action": [
         "tag:GetResources"
    ],
    "Resource": "*"
}
...

The Lambda console displays details about the IAM role that is associated with a Lambda function and the resources that the function's IAM role has access to. To view these details, add permissions similar to the following:

...
{
    "Sid": "PermissionsToViewRolesAndPolicies",
    "Effect": "Allow",
    "Action": [
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:GetRolePolicy",
        "iam:ListRoles",
        "iam:ListRolePolicies",
        "iam:ListAttachedRolePolicies"
    ],
    "Resource": "*"
}
...

Note: Depending upon your requirements and the services integrated with your Lambda function, you might need to grant additional permissions for other AWS services. For more information, see AWS Lambda Permissions.

Permissions required to modify a Lambda function

To give a user permission to modify a Lambda function, add permissions similar to the following:

Note: Depending upon the level of write access that you want to grant, you might need to grant all or a subset of the following permissions when using the AWS CLI or an SDK.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ActionsWhichSupportResourceLevelPermissions",
            "Effect": "Allow",
            "Action": [
                "lambda:AddPermission",
                "lambda:RemovePermission",
                "lambda:CreateAlias",
                "lambda:UpdateAlias",
                "lambda:DeleteAlias",
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration",
                "lambda:PutFunctionConcurrency",
                "lambda:DeleteFunctionConcurrency",
                "lambda:PublishVersion"
            ],
            "Resource": "arn:aws:lambda:region:AccountID:function:function_name"
        },
        {
            "Sid": "ActionsWhichSupportCondition",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateEventSourceMapping",
                "lambda:UpdateEventSourceMapping",
                "lambda:DeleteEventSourceMapping"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "lambda:FunctionArn": "arn:aws:lambda:region:AccountID:function:function_name"
                }
            }
        },
        {
            "Sid": "ActionsWhichDoNotSupportResourceLevelPermissions",
            "Effect": "Allow",
            "Action": [
                "lambda:UntagResource",
                "lambda:TagResource"
            ],
            "Resource": "*"
        }
    ]
}

Note: Update the policy to include your relevant Region, account ID, function name, ARN, and so on.

You can further restrict access using lambda:AddPermission and lambda:RemovePermission to a principal that is included in a passed policy. You can also limit lambda:UpdateEventSourceMapping and lambda:DeleteEventSourceMapping to a particular event source mapping. For more information, see Identity-based IAM Policies for AWS Lambda.

To specify a customer managed AWS Key Management Service (AWS KMS) key to encrypt environment variables, add additional KMS permissions by using an IAM policy snippet similar to the following:

...
{
    "Sid": "PermissionsForCryptoOperations",
    "Effect": "Allow",
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:CreateGrant"
    ],
    "Resource": "arn:aws:kms:region:AccountID:key/keyID"
},
{
    "Sid": "PermissionsToListExistingKeys",
    "Effect": "Allow",
    "Action": [
        "kms:ListKeys",
        "kms:ListAliases"
    ],
    "Resource": "*"
}
...

Note: Update the policy to include your relevant Region, account ID, function name, ARN, and so on.

To modify a Lambda function's configurations using the Lambda console, add permissions similar to the following:

...
{
    "Sid": "PermissionsToViewFunctionsInConsole",
    "Effect": "Allow",
    "Action": [
        "lambda:ListFunctions",
        "lambda:GetAccountSettings"
    ],
    "Resource": "*"
}
...

Permissions required to invoke a Lambda function

To manually invoke a Lambda function for testing purposes using the AWS CLI or an SDK, add permissions similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionToInvoke",
            "Effect": "Allow",
            "Action": "lambda:InvokeFunction",
            "Resource": "arn:aws:lambda:region:AccountID:function:function_name"
        }
    ]
}

Note: Update the policy to include your relevant Region, account ID, function name, ARN, and so on.

To list Lambda functions using the Lambda console, add permissions similar to the following:

...
{
    "Sid": "PermissionsToViewFunctionsConfigInConsole",
    "Effect": "Allow",
    "Action": [
        "lambda:ListFunctions",
        "lambda:GetAccountSettings",
        "lambda:GetFunction"
    ],
    "Resource": "*"
}
...

To allow other services to invoke a Lambda function, Use Resource-Based Policies for AWS Lambda (Lambda Function Policies). You can also use function policies to provide cross-account access to Lambda functions. The following example policy can be used to allow a user from a different AWS account to manually invoke a Lambda function:

{
    "Version": "2012-10-17",
    "Id": "default",
    "Statement": [
        {
            "Sid": "PermissionToInvoke",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ExternalAccountID:user/username"
            },
            "Action": "lambda:InvokeFunction",
            "Resource": "arn:aws:lambda:region:AccountID:function:function_name"
        }
    ]
}

Note: Update the policy to include your relevant Region, account ID, function name, ARN, and so on.

Permissions required to monitor Lambda functions

To view Amazon CloudWatch metrics in the Monitoring view of the Lambda console, add permissions similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionForCloudWatchMetrics",
             "Effect": "Allow",
             "Action": [
                  "cloudwatch:GetMetricStatistics",
                  "cloudwatch:GetMetricData"
              ],
              "Resource": "*"
         }
    ]
}

To grant permission to specific CloudWatch metrics and CloudWatch Logs Insights, see Amazon CloudWatch Permissions Reference and CloudWatch Logs Permissions Reference.  


Did this article help you?

Anything we could improve?


Need more help?