I have created one lambda. I need to provide access to only one role that is created for this lambda i.e. only this role should have the invoke access. There may be other roles in account which may have invoke access on all lambdas but I want to restrict those roles not to access my lambda.
Can anyone please suggest a way to achieve this behavior?
A resource-based policy attached to a lambda function will work as Maurice commented.
Below is the sample policy. The action specified in the policy statement is explicitly denied to all principals except for the one specified. Only lambda_role is allowed to invoke testfunction lambda using the below resource-based policy.
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "0001",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::659266464590:role/service-role/lambda_role"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:659266464590:function:testfunction"
}
]
}
Related
I am trying to figure out if it is possible to design an AWS IAM role that would dynamically grant permission to resource based on the name of the calling resource. For example I currently have a role that grants a Lambda function permission to create and write CloudWatch logs, which looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CWLog",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/MyLambdaFunction*"
}
}
I am wondering if there is a way to substitute the string MyLambdaFunction for the name of the calling Lambda function using some ${aws:NameOfTheLambdaFunction} variable, so that I can have a generic policy allowing functions to write only to their specific CW log groups that I can attach to different Lambda roles - with the resource statement looking like: "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/${aws:NameOfTheLambdaFunction}*"
Is something like this possible?
You're referring to an IAM policy variable which provides you the name of the calling Lambda function.
Unfortunately, this policy variable does not currently exist and so this isn't possible.
I have created a lambda function which I intend to serve as a secret rotation function to be used by the secrets manager, but when I try to add this function as a rotation function in the secrets manager I get the error "Secrets Manager cannot invoke the specified lambda function. Ensure that the function policy grants access to the principal secretsmanager.amazonaws.com"
but I have already allowed secrets manager to invoke the function in the functions resource based policy, this is what I have defined
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "Secret-Manager-Access-To-fun_SSH-function",
"Effect": "Allow",
"Principal": {
"Service": "secretsmanager.amazonaws.com"
},
"Action": "lambda:Invoke",
"Resource": "arn:aws:lambda:us-east-1:296808031351:function:fun_ssh"
}
]
}
I am unable to understand what I am missing, how do I get this to work?
TIA
A reason could be that you use incorrect action: lambda:Invoke.
The correct action of invoking lambda function is lambda:InvokeFunction.
I am using javascript SDK and a lambda function to copy a file from a source account to the current account where my lambda lives. I'm assuming a role for cross account access to the source account S3 bucket before I call copyObject api. But I'm getting Access Denied! Here is my cross account role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::sourceBucket/*"
]
}
]
}
and here is my lambda permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::destinationbucket/*",
"Effect": "Allow"
},
{
"Action": [
"sts:*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
I think when I assume the cross account role I give up the lambda permissions and then I cannot copy file to the destination. Any help is much appreciated.
You appear to have:
A source bucket (Bucket-A) in Account-A
A destination bucket (Bucket-B) in Account-B
An AWS Lambda function in Account-B
An IAM Role (Role-A) in Account-A that the Lambda function can assume
Your requirement is to have the Lambda function copy objects from Bucket-A to Bucket-B.
When using the CopyObject command, the credentials must have:
Read permissions on Bucket-A
Write permissions on Bucket-B
However, while Role-A does have read permissions on Bucket-A, it does not have permission to write to Bucket-B.
Therefore, you have two choices:
Option 1: Add a Bucket Policy to Bucket-B that grants write permissions to Role-A, or
Option 2: Instead of using Role-A, the administrator of Bucket-A in Account-A can grant read permissions for Bucket-A to the IAM Role being used by the Lambda function by creating a Bucket Policy on Bucket-A . That is, the Lambda function does not assume Role-A. It just uses its own role to read directly from Bucket-A.
Option 2 is better, because it is involves less moving parts. That is, there is no need to assume a role. I suggest you try this method before using the AssumeRole method.
If you do wish to continue with using Role-A, then please note that the CopyObject() command will need to set the ACL to bucket-owner-full-control. If this is not done, the Account-B will not have permission to access/delete the copied objects. (If you use the second method, then the objects will be copied using Account-B credentials, so it is not required.)
Bottom line: For your describe scenario involving Role-A, add a Bucket Policy to Bucket-B that grants write permissions to Role-A.
I need to add a new AWS user to use lambda function, but I don't want him to delete or modify the lambda functions created by the other users. If I can also not show the other existing lambda functions to him, it will be the most ideal solution. How should I set up this in IAM policy?
As per AWS docs, you'll want an IAM policy similar to the following. Replace the relevant AWS values.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermissionToInvoke",
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:AWS_REGION:AWS_ACCOUNT_ID:function:LAMBDA_FUNCTION_NAME"
}
]
}
In AWS, I (joe.doe#accountXYZ) created a S3 bucket, thus I am this s3 bucket owner.
I want to configure this S3 bucket based on the IAM role, thus only some IAM roles, such as [role_xyz, role_abc, role_cde], can can read this bucket.
From the AWS console, it seems that I can not configure it.
Can anyone tell me whether it is possible to do that?
========
I understand that from the IAM role side you can configure a policy for this s3 resource. But my question here is on the s3 resource side, whether I can define a access policy based IAM roles.
It appears that your requirement is to permit certain specific roles access to a particular Amazon S3 bucket.
There are two ways to do this:
Option 1: Add permissions to the Role
This is the preferred option. You can add a policy to the IAM Role that grants access to the bucket. It would look similar to:
{
"Id": "Policy1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
}
]
}
This is a good method because you just add the policy to the desired Role(s), without having to touch the actual buckets.
Option 2: Add a Bucket Policy
This involves putting the permissions on the bucket, which grants access to a specific role. This is less desirable because you would have to put the policy on every bucket and refer to every Role.
It would look something like:
{
"Id": "Policy1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::my-bucket/*"
],
"Principal": "arn:aws:iam::123456789012:role/my-role"
}
]
}
Please note that these policies are granting s3:* permissions on the bucket, that might be too wide for your purposes. It is always best to only grant the specific, required permissions rather than granting all permissions.