Working with resource-based IAM policies in Lambda - Amazon Lambda
Supported API actions
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Working with resource-based IAM policies in Lambda

Lambda supports resource-based permissions policies for Lambda functions and layers. You can use resource-based policies to grant access to other Amazon accounts, organizations, or services. Resource-based policies apply to a single function, version, alias, or layer version.

Console
To view a function's resource-based policy

  1. Open the Functions page of the Lambda console.

  2. Choose a function.

  3. Choose Configuration and then choose Permissions.

  4. Scroll down to Resource-based policy and then choose View policy document. The resource-based policy shows the permissions that are applied when another account or Amazon service attempts to access the function. The following example shows a statement that allows Amazon S3 to invoke a function named my-function for a bucket named amzn-s3-demo-bucket in account 123456789012.

    Example Resource-based policy
    {
    "Version": "2012-10-17",
    "Id": "default",
    "Statement": [
        {
            "Sid": "lambda-allow-s3-my-function",
            "Effect": "Allow",
            "Principal": {
              "Service": "s3.amazonaws.com.cn"
            },
            "Action": "lambda:InvokeFunction",
            "Resource":  "arn:aws-cn:lambda:cn-north-1:123456789012:function:my-function",
            "Condition": {
              "StringEquals": {
                "AWS:SourceAccount": "123456789012"
              },
              "ArnLike": {
                "AWS:SourceArn": "arn:aws-cn:s3:::amzn-s3-demo-bucket"
              }
            }
        }
     ]
}
Amazon CLI

To view a function's resource-based policy, use the get-policy command.

aws lambda get-policy \
  --function-name my-function \
  --output text

You should see the following output:

{"Version":"2012-10-17","Id":"default","Statement":[{"Sid":"sns","Effect":"Allow","Principal":{"Service":"s3.amazonaws.com.cn"},"Action":"lambda:InvokeFunction","Resource":"arn:aws-cn:lambda:cn-north-1:123456789012:function:my-function","Condition":{"ArnLike":{"AWS:SourceArn":"arn:aws-cn:sns:us-west-2:123456789012:lambda*"}}}]}      7c681fc9-b791-4e91-acdf-eb847fdaa0f0

For versions and aliases, append the version number or alias to the function name.

aws lambda get-policy --function-name my-function:PROD

To remove permissions from your function, use remove-permission.

aws lambda remove-permission \
  --function-name example \
  --statement-id sns

Use the get-layer-version-policy command to view the permissions on a layer.

aws lambda get-layer-version-policy \
  --layer-name my-layer \
  --version-number 3 \
  --output text

You should see the following output:

b0cd9796-d4eb-4564-939f-de7fe0b42236    {"Sid":"engineering-org","Effect":"Allow","Principal":"*","Action":"lambda:GetLayerVersion","Resource":"arn:aws-cn:lambda:us-west-2:123456789012:layer:my-layer:3","Condition":{"StringEquals":{"aws:PrincipalOrgID":"o-t194hfs8cz"}}}"

Use remove-layer-version-permission to remove statements from the policy.

aws lambda remove-layer-version-permission --layer-name my-layer --version-number 3 --statement-id engineering-org

Supported API actions

The following Lambda API actions support resource-based policies: