I have a Lambda function defined in CDK. I'm using this Lambda to invoke a State Machine and for that I would need to provide it some Policies. The way I tried was the following:
const stepFunctionsPolicy = new PolicyStatement({
effect: Effect.ALLOW,
actions: ["states:*"],
resources: ['*']
})
MachineLambda.addToRolePolicy(stepFunctionsPolicy) //Added the Policy to the Lambda's Role
This is a workaround, but ideally, I would like to provide AWS Managed Policies, instead of manually defining each policy, to this Lambda function (specifically the AWSStepFunctionsFullAccess)?
The question specifically asks how to add the AWSStepFunctionsFullAccess managed policy to the Lambda's role. This allows the Lambda to perform CRUD operations on all step functions:
machineLambda.role?.addManagedPolicy(
iam.ManagedPolicy.fromAwsManagedPolicyName("AWSStepFunctionsFullAccess")
);
Consider granting the Lambda narrow permissions instead, following the IAM least privilege permissions security best practice:
myStateMachine.grantExecution(machineLambda);
Related
I am new in aws I want to restrict my aws lambda function to not get access by any other resource it can only invoke by a specified lambda function.
I have not setup an API gateway for this lambda function it's just a simple lambda function that I want to invoke from another lambda function but also want to restrict to not getting invoked by other resources or another lambda function so I want to specify another lambda function which will invoke this lambda function so only specified lambda function can invoke
You can modify/delete resource-based policies for Lambda - AWS Lambda.
Normally, these policies define which IAM users, IAM roles and AWS services can invoke the function. You should edit the policies attached to this particular Lambda function to only permit access via your desired 'calling' Lambda function. This will probably involve referencing the IAM Role that is used by the 'calling' Lambda function.
You could even add a Deny policy to prohibit access via any other IAM Role or service.
We have a pair of existing AWS Lambda functions that read/write from a DynamoDB table. I created a new function and table; the function is very basic, just does a putItem on the DynamoDB table. I can successfully invoke it with the test functionality in Lambda.
However, if I invoke the Lambda function using the FunctionURL or via API Gateway, I get the following error.
Yet in Configuration > Permissions in the Lambda interface I clearly see the permission:
Suggestions where to check next? Comparison to our existing, working functions hasn't revealed anything; everything I have checked in configured the same.
Thanks!
When you invoke the lambda function in the lambda console, lambda is using an Execution role.
When you invoke the lambda function via API gateway or via the function URL, it is likely that you are using IAM authorization. As a result, lambda is using the role of the principal who invoked the function (in this case, PatientWellnessDeregistration-role-3ospc0u3).
The execution role is configured correctly, but the IAM role of the principal is lacking the required permissions.
Further reading:
https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html
https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html
What you could optionally check is that API Gateway is authorized to call your new Lambda. If so, then the Resource-based policy of the Lambda (still in the Permissions tab) should have something similar to:
Resource-based policy example:
I need the permissions to pass an execution role to a Lambda when I create a CF.
So I have given the role used for creating the CF this:
Effect: Allow
Action:
- iam:PassRole
Resource:
- "myexecutionrole"
So now my CF role can pass the execution role to any resource. I want to restrict this. I want it only to be able to pass the role to the Lambda function it is for. So I have been looking into policy conditions, put here I only find solution for restricting the source of the call not the target.
Is that I want possible and how?
You could use iam:AssociatedResourceArn. From docs:
Specifies the ARN of the resource to which this role will be associated at the destination service.
have a question regarding Lambda and Roles and SCPs.
Lets say that I have a Lambda function doing a certain IAM call, the lambda role has the permission needed for doing it.
The Lambda it self is created with a Cloudformation. The Cloudfromation deployment is ran with a tool using the service role for the tool, no service role for the CF.
The Lambda Function is triggered by a Custom Resource in the same CF.
Tool(with role) -> CF(No service role) -> CR -> Lambda -> IAM call
Now add a SCP with a Deny for the IAM call. What principal needs to have condition in the SCP to not be affected by the SCP?
The role you use for the lambda is the principal that needs an exception in the SCP. Ultimately, it is the principal that is running the lambda that is making the IAM call, so that is what will need the condition.
Can someone explain to me the difference between an AWS Policy and an AWS Managed Policy in the context of Cloud Formation?
More specifically, I'm trying to define an auto scaling template where:
Each instance in an auto scale configuration is assigned an IAM Instance Role that has a policy.
The same policy is applied to the user when they try and access these instances.
I'm trying to keep duplication to a minimum and it seems like I may be able to achieve it via a Policy linked to a role, and group of users. The role can then be associated with EC2 Instance via instance profile and users can be added to the groups which in turn are assigned the policy.
Why and under what circumstances would one use a ManagedPolicy?
Thank you for your assistance.
EDIT: It seems like Role requires a policy document irrespective. So even having a separate policy won't really help? Or am I missing something?
AWS::IAM::Role only requires a trust policy. The Policy/Managed Policy can be defined separately.
The difference between AWS::IAM::ManagedPolicy and AWS::IAM::Policy is that AWS::IAM::ManagedPolicy does not require you to assign a Group, Role or User when defining it. AWS::IAM::Policy does. In your use case, you're probably fine using AWS::IAM::Policy.
If I may add, testing Policy creation using CDK v2.12.0, groups, users or roles are not required. iam.ManagedPolicy creates a policy you can share, iam.Policy is created as an inline policy.
new iam.Policy(this, 'testPolicy2', {
statements: policyDocs,
//groups: [s3UserGroup],
policyName: 'testPolicy2'
})
new iam.ManagedPolicy(this, 'testPolicy3', {
statements: policyDocs,
//groups: [s3UserGroup],
managedPolicyName: 'testPolicy3'
})