AWS Lambda Execution Roles and Permissions

• IAM Role for Lambda:
  • An IAM Role must be attached to a Lambda function to grant it permission to access AWS services and resources.
  • This role defines what the function can do and which AWS resources it can interact with.
• Managed Policies for Lambda:
  • AWS provides managed policies for common Lambda use cases:
    • BasicExecutionRole: Allows Lambda functions to upload logs to CloudWatch.
    • KinesisExecutionRole: Grants permissions to read from Kinesis streams.
    • DynamoDBExecutionRole: Grants permissions to read from DynamoDB streams.
    • SQSQueueExecutionRole: Grants permissions to read from SQS queues.
    • LambdaVPCAccessExecutionRole: Allows Lambda functions to be deployed within a VPC.
    • XrayDaemonWriteAccess: Allows Lambda functions to upload trace data to X-Ray.
  • Custom policies can also be created for specific Lambda use cases.
• Event Source Mapping:
  • When using an event source mapping to invoke a Lambda function, an execution role is required for Lambda to read the event data.
  • This is different from when a Lambda function is invoked by other services, which may not require a specific IAM Role.
• Best Practice:
  • It is recommended to create one Lambda execution role per function for better security and management.
• Resource-Based Policy:
  • Used to give other AWS accounts or services permission to invoke your Lambda functions.
  • Similar to an S3 bucket policy.
  • An IAM principal can access a Lambda function if:
    • The IAM policy attached to the principal authorizes it.
    • A resource-based policy authorizes access to the Lambda function.
  • Useful for service-to-service access, such as allowing Amazon S3 to invoke a Lambda function.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "s3.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:s3:::BUCKET_NAME"
        }
      }
    }
  ]
}

• Console Demonstration:
  • The AWS Management Console automates some of these configurations, but manual setup is required for custom integrations.
  • A walkthrough in the console can help understand how to configure these permissions.

Next Steps:

• Proceed to the AWS Management Console to explore how to set up and manage Lambda execution roles and resource-based policies.