Granting users access to a Lambda layer - Amazon Lambda
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Granting users access to a Lambda layer

Use identity-based policies to allow users, user groups, or roles to perform operations on Lambda layers. The following policy grants a user permission to create layers and use them with functions. The resource patterns allow the user to work in any Amazon Web Services Region and with any layer version, as long as the name of the layer starts with test-.

Example layer development policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PublishLayers", "Effect": "Allow", "Action": [ "lambda:PublishLayerVersion" ], "Resource": "arn:aws-cn:lambda:*:*:layer:test-*" }, { "Sid": "ManageLayerVersions", "Effect": "Allow", "Action": [ "lambda:GetLayerVersion", "lambda:DeleteLayerVersion" ], "Resource": "arn:aws-cn:lambda:*:*:layer:test-*:*" } ] }

You can also enforce layer use during function creation and configuration with the lambda:Layer condition. For example, you can prevent users from using layers published by other accounts. The following policy adds a condition to the CreateFunction and UpdateFunctionConfiguration actions to require that any layers specified come from account 123456789012.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConfigureFunctions", "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:UpdateFunctionConfiguration" ], "Resource": "*", "Condition": { "ForAllValues:StringLike": { "lambda:Layer": [ "arn:aws-cn:lambda:*:123456789012:layer:*:*" ] } } } ] }

To ensure that the condition applies, verify that no other statements grant the user permission to these actions.