AWS Lambda Permission
This page shows how to write Terraform and CloudFormation for Lambda Permission and write them securely.
aws_lambda_permission (Terraform)
The Permission in Lambda can be configured in Terraform with the resource name aws_lambda_permission
. The following sections describe 1 example of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_lambda_permission" "allow_cognito_create" {
statement_id = "AllowExecutionFromCognito"
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.lambda_create_challenge.function_name
principal = "cognito-idp.amazonaws.com"
source_arn = var.cognito_user_pool_arn
Security Best Practices for aws_lambda_permission
There are 2 settings in aws_lambda_permission that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure to limit your Lambda function permission as much as possible
It is better for limiting the Lambda function permission to set `source_arn` if the ARN can be specified to grant permissions.
Ensure X-Ray tracing for your Lambda function is enabled
It is beter to enable X-Ray tracing for your Lambda function. X-Ray tracing provides plenty of information useful for handling performance and availability issues.
Parameters
-
action
required - string -
event_source_token
optional - string -
function_name
required - string -
id
optional computed - string -
principal
required - string -
qualifier
optional - string -
source_account
optional - string -
source_arn
optional - string -
statement_id
optional computed - string -
statement_id_prefix
optional - string
Explanation in Terraform Registry
Gives an external source (like a CloudWatch Event Rule, SNS, or S3) permission to access the Lambda function.
AWS::Lambda::Permission (CloudFormation)
The Permission in Lambda can be configured in CloudFormation with the resource name AWS::Lambda::Permission
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::Lambda::Permission
Properties:
Action: lambda:invokeFunction
FunctionName:
Ref: BizzyCatalogFrontofficeDevAlias
Principal: apigateway.amazonaws.com
Type: "AWS::Lambda::Permission"
Properties:
FunctionName: "remote-patient-monitoring-postAdminLogin-${self:provider.stage}"
Action: "lambda:InvokeFunction"
Principal: "apigateway.amazonaws.com"
PostNurseLoginApiPermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: !Sub ${buscarServicioArn}
Principal: apigateway.amazonaws.com
SourceArn: !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${ServerlessApi}/*/*/*"
Type: 'AWS::Lambda::Permission'
Condition: CreateGlobalResources
Properties:
FunctionName:
Ref: 'EventHandler'
Action: 'lambda:InvokeFunction'
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
FunctionName: "sst-create-job-${opt:stage, self:provider.stage}"
Principal: "arn:aws:iam::854908244678:role/uwf-slingshot-service-dev-eu-west-1-lambdaRole" # account: viacbs-msc-fulfillment-dev
CoreSSTCreateJobPermissionUWFUat:
{ "LogicalResourceId":"MyApiMyLambdaRequestAuthAuthorizerPermission", "ResourceType":"AWS::Lambda::Permission" },
{ "LogicalResourceId":"MyApiMyLambdaTokenAuthAuthorizerPermission", "ResourceType":"AWS::Lambda::Permission" },
{ "LogicalResourceId":"MyApiProdStage", "ResourceType":"AWS::ApiGateway::Stage" },
{ "LogicalResourceId":"MyCognitoUserPool", "ResourceType":"AWS::Cognito::UserPool" },
{ "LogicalResourceId":"MyCognitoUserPoolTwo", "ResourceType":"AWS::Cognito::UserPool" },
{ "LogicalResourceId":"MyCognitoUserPoolClient", "ResourceType":"AWS::Cognito::UserPoolClient" },
{ "LogicalResourceId":"MyApiMyLambdaRequestAuthAuthorizerPermission", "ResourceType":"AWS::Lambda::Permission" },
{ "LogicalResourceId":"MyApiMyLambdaTokenAuthAuthorizerPermission", "ResourceType":"AWS::Lambda::Permission" },
{ "LogicalResourceId":"MyApiProdStage", "ResourceType":"AWS::ApiGateway::Stage" },
{ "LogicalResourceId":"MyCognitoUserPool", "ResourceType":"AWS::Cognito::UserPool" },
{ "LogicalResourceId":"MyCognitoUserPoolTwo", "ResourceType":"AWS::Cognito::UserPool" },
{ "LogicalResourceId":"MyCognitoUserPoolClient", "ResourceType":"AWS::Cognito::UserPoolClient" },
{ "LogicalResourceId":"MyApiMyLambdaRequestAuthAuthorizerPermission", "ResourceType":"AWS::Lambda::Permission" },
{ "LogicalResourceId":"MyApiMyLambdaTokenAuthAuthorizerPermission", "ResourceType":"AWS::Lambda::Permission" },
{ "LogicalResourceId":"MyApiProdStage", "ResourceType":"AWS::ApiGateway::Stage" },
{ "LogicalResourceId":"MyCognitoUserPool", "ResourceType":"AWS::Cognito::UserPool" },
{ "LogicalResourceId":"MyCognitoUserPoolClient", "ResourceType":"AWS::Cognito::UserPoolClient" },
{ "LogicalResourceId":"MyFunction", "ResourceType":"AWS::Lambda::Function" },
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:invokeFunction",
"Principal": "apigateway.amazonaws.com",
"FunctionName": {
"Ref": "MyFunction"
"Type": "AWS::Lambda::Permission",
"Properties": {
"FunctionName": {
"Ref": "AlDashdailyDashtrafficUnderscorerefreshUnderscore8LambdaFunctionArnParameter"
},
"Action": "lambda:InvokeFunction",
Parameters
-
Action
required - String -
EventSourceToken
optional - String -
FunctionName
required - String -
Principal
required - String -
SourceAccount
optional - String -
SourceArn
optional - String
Explanation in CloudFormation Registry
The
AWS::Lambda::Permission
resource grants an AWS service or another account permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name (ARN) of that version or alias to invoke the function.To grant permission to another account, specify the account ID as the
Principal
. For AWS services, the principal is a domain-style identifier defined by the service, likes3.amazonaws.com
orsns.amazonaws.com
. For AWS services, you can also specify the ARN of the associated resource as theSourceArn
. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function.This resource adds a statement to a resource-based permission policy for the function. For more information about function policies, see Lambda Function Policies.
Frequently asked questions
What is AWS Lambda Permission?
AWS Lambda Permission is a resource for Lambda of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Lambda Permission?
For Terraform, the dwp/aws-analytical-env source code example is useful. See the Terraform Example section for further details.
For CloudFormation, the fadlymahendra/bz-catalog-service, codeforjapan/remote-patient-monitoring-api and marvindaviddiaz/tesis-licenciatura source code examples are useful. See the CloudFormation Example section for further details.