Skip to Content

Getting Started with Serverless: IAM Resource-Based Policies for AWS Lambda Functions

By: Author Alex Lim

Posted on

Categories Amazon

Learn how AWS IAM resource-based policies control permissions for invoking and accessing AWS Lambda functions. Understand the role of resource-based policies in serverless security.

Table of Contents

Question

What does an AWS Identity and Access Management (IAM) resource-based policy control?

A. What the function can do within the other AWS services
B. Permissions to create the function
C. Permissions to invoke the function
D. What the other AWS services can do when processing the events

Answer

C. Permissions to invoke the function

Explanation

A resource policy (also called a function policy) is used to tell the Lambda service which principals have permission to invoke the Lambda function.

An AWS Identity and Access Management (IAM) resource-based policy attached to an AWS Lambda function controls who has permission to invoke that function. The resource-based policy defines which AWS accounts, IAM users, roles, or services are allowed to call the Lambda function.

Some key points about IAM resource-based policies for Lambda:

  • Resource-based policies are attached directly to the Lambda function itself, not to the IAM users or roles.
  • They define which principals (accounts, users, roles, services) can invoke the function.
  • You can grant cross-account access to a function by specifying the AWS account ID in the resource-based policy.
  • For event source mappings like Amazon S3 or DynamoDB streams, the resource-based policy determines whether that service is allowed to invoke the function.

Resource-based policies work together with IAM execution roles to secure access to Lambda functions. The execution role (specified when creating the function) determines what AWS resources and actions the function itself can access. But the resource-based policy controls who can invoke the function in the first place.

So in summary, IAM resource-based policies are a critical component of the security configuration for Lambda functions, as they control the invocation permissions, while execution roles handle the function’s own permissions. The other options like what the function can do, permissions to create it, or what event sources can do, are controlled through other mechanisms.

Getting Started with Serverless EDSELEv1EN-US assessment question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Getting Started with Serverless EDSELEv1EN-US assessment and earn Getting Started with Serverless EDSELEv1EN-US badge.