Lambda resource access permissions - Amazon Lambda
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Lambda resource access permissions

You can use Amazon Identity and Access Management (IAM) to manage access to the Lambda API and resources such as functions and layers. For users and applications in your account that use Lambda, you can create IAM policies that apply to users, groups, or roles.

Every Lambda function has an IAM role called an execution role. In this role, you can attach a policy that defines the permissions that your function needs to access other Amazon services and resources. At a minimum, your function needs access to Amazon CloudWatch Logs for log streaming. If your function calls other service APIs with the Amazon SDK, you must include the necessary permissions in the execution role's policy. Lambda also uses the execution role to get permission to read from event sources when you use an event source mapping to invoke your function.

To give other accounts and Amazon services permission to use your Lambda resources, use a resource-based policy. Lambda resources include functions, versions, aliases, and layer versions. When a user tries to access a Lambda resource, Lambda considers both the user's identity-based policies and the resource's resource-based policy. When an Amazon service such as Amazon Simple Storage Service (Amazon S3) calls your Lambda function, Lambda considers only the resource-based policy.

To manage permissions for users and applications in your account, we recommend using an Amazon managed policy. You can use these managed policies as-is, or as a starting point for writing your own more restrictive policies. Policies can restrict user permissions by the resource that an action affects, and by additional optional conditions. For more information, see Resources and conditions for Lambda actions.

If your Lambda functions contain calls to other Amazon resources, you might also want to restrict which functions can access those resources. To do this, include the lambda:SourceFunctionArn condition key in an IAM identity-based policy or service control policy (SCP) for the target resource. For more information, see Working with Lambda execution environment credentials.

For more information about IAM, see the IAM User Guide.

For more information about applying security principles to Lambda applications, see Security in Serverless Land.