AWS Lambda Permission

This page shows how to write Terraform and CloudFormation for Lambda Permission and write them securely.

aws_lambda_permission (Terraform)

The Permission in Lambda can be configured in Terraform with the resource name aws_lambda_permission. The following sections describe 1 example of how to use the resource and its parameters.

Example Usage from GitHub

permissions.tf#L1
resource "aws_lambda_permission" "allow_cognito_create" {
  statement_id  = "AllowExecutionFromCognito"
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.lambda_create_challenge.function_name
  principal     = "cognito-idp.amazonaws.com"
  source_arn    = var.cognito_user_pool_arn

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for aws_lambda_permission

There are 2 settings in aws_lambda_permission that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure to limit your Lambda function permission as much as possible

It is better for limiting the Lambda function permission to set `source_arn` if the ARN can be specified to grant permissions.

risk-label

Ensure X-Ray tracing for your Lambda function is enabled

It is beter to enable X-Ray tracing for your Lambda function. X-Ray tracing provides plenty of information useful for handling performance and availability issues.

Review your AWS Lambda settings

You can check if the aws_lambda_permission setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

Explanation in Terraform Registry

Gives an external source (like a CloudWatch Event Rule, SNS, or S3) permission to access the Lambda function.

AWS::Lambda::Permission (CloudFormation)

The Permission in Lambda can be configured in CloudFormation with the resource name AWS::Lambda::Permission. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

stack.yml#L97
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:invokeFunction
      FunctionName:
        Ref: BizzyCatalogFrontofficeDevAlias
      Principal: apigateway.amazonaws.com
api-gateway.yml#L7
    Type: "AWS::Lambda::Permission"
    Properties:
      FunctionName: "remote-patient-monitoring-postAdminLogin-${self:provider.stage}"
      Action: "lambda:InvokeFunction"
      Principal: "apigateway.amazonaws.com"
  PostNurseLoginApiPermission:
api.yml#L59
    Type: AWS::Lambda::Permission
    Properties:
      Action: lambda:InvokeFunction
      FunctionName: !Sub ${buscarServicioArn}
      Principal: apigateway.amazonaws.com
      SourceArn: !Sub "arn:aws:execute-api:${AWS::Region}:${AWS::AccountId}:${ServerlessApi}/*/*/*"
default-cloudconformity-monitoring.yml#L35
    Type: 'AWS::Lambda::Permission'
    Condition: CreateGlobalResources
    Properties:
      FunctionName:
        Ref: 'EventHandler'
      Action: 'lambda:InvokeFunction'
serverless.yml#L29
      Type: AWS::Lambda::Permission
      Properties:
        Action: lambda:InvokeFunction
        FunctionName: "sst-create-job-${opt:stage, self:provider.stage}"
        Principal: "arn:aws:iam::854908244678:role/uwf-slingshot-service-dev-eu-west-1-lambdaRole" # account: viacbs-msc-fulfillment-dev
    CoreSSTCreateJobPermissionUWFUat:
api_with_authorizers_max.json#L5
  { "LogicalResourceId":"MyApiMyLambdaRequestAuthAuthorizerPermission", "ResourceType":"AWS::Lambda::Permission" },
  { "LogicalResourceId":"MyApiMyLambdaTokenAuthAuthorizerPermission", "ResourceType":"AWS::Lambda::Permission" },
  { "LogicalResourceId":"MyApiProdStage", "ResourceType":"AWS::ApiGateway::Stage" },
  { "LogicalResourceId":"MyCognitoUserPool", "ResourceType":"AWS::Cognito::UserPool" },
  { "LogicalResourceId":"MyCognitoUserPoolTwo", "ResourceType":"AWS::Cognito::UserPool" },
  { "LogicalResourceId":"MyCognitoUserPoolClient", "ResourceType":"AWS::Cognito::UserPoolClient" },
api_with_authorizers_max_openapi.json#L5
  { "LogicalResourceId":"MyApiMyLambdaRequestAuthAuthorizerPermission", "ResourceType":"AWS::Lambda::Permission" },
  { "LogicalResourceId":"MyApiMyLambdaTokenAuthAuthorizerPermission", "ResourceType":"AWS::Lambda::Permission" },
  { "LogicalResourceId":"MyApiProdStage", "ResourceType":"AWS::ApiGateway::Stage" },
  { "LogicalResourceId":"MyCognitoUserPool", "ResourceType":"AWS::Cognito::UserPool" },
  { "LogicalResourceId":"MyCognitoUserPoolTwo", "ResourceType":"AWS::Cognito::UserPool" },
  { "LogicalResourceId":"MyCognitoUserPoolClient", "ResourceType":"AWS::Cognito::UserPoolClient" },
api_with_authorizers_min.json#L4
  { "LogicalResourceId":"MyApiMyLambdaRequestAuthAuthorizerPermission", "ResourceType":"AWS::Lambda::Permission" },
  { "LogicalResourceId":"MyApiMyLambdaTokenAuthAuthorizerPermission", "ResourceType":"AWS::Lambda::Permission" },
  { "LogicalResourceId":"MyApiProdStage", "ResourceType":"AWS::ApiGateway::Stage" },
  { "LogicalResourceId":"MyCognitoUserPool", "ResourceType":"AWS::Cognito::UserPool" },
  { "LogicalResourceId":"MyCognitoUserPoolClient", "ResourceType":"AWS::Cognito::UserPoolClient" },
  { "LogicalResourceId":"MyFunction", "ResourceType":"AWS::Lambda::Function" },
api_with_auth_all_maximum.json#L25
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "Action": "lambda:invokeFunction",
        "Principal": "apigateway.amazonaws.com",
        "FunctionName": {
          "Ref": "MyFunction"
cloudformation-template-Permissions-nested-stack.json#L107
      "Type": "AWS::Lambda::Permission",
      "Properties": {
        "FunctionName": {
          "Ref": "AlDashdailyDashtrafficUnderscorerefreshUnderscore8LambdaFunctionArnParameter"
        },
        "Action": "lambda:InvokeFunction",

Parameters

Explanation in CloudFormation Registry

The AWS::Lambda::Permission resource grants an AWS service or another account permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name (ARN) of that version or alias to invoke the function.

To grant permission to another account, specify the account ID as the Principal. For AWS services, the principal is a domain-style identifier defined by the service, like s3.amazonaws.com or sns.amazonaws.com. For AWS services, you can also specify the ARN of the associated resource as the SourceArn. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function.

This resource adds a statement to a resource-based permission policy for the function. For more information about function policies, see Lambda Function Policies.

Frequently asked questions

What is AWS Lambda Permission?

AWS Lambda Permission is a resource for Lambda of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Lambda Permission?

For Terraform, the dwp/aws-analytical-env source code example is useful. See the Terraform Example section for further details.

For CloudFormation, the fadlymahendra/bz-catalog-service, codeforjapan/remote-patient-monitoring-api and marvindaviddiaz/tesis-licenciatura source code examples are useful. See the CloudFormation Example section for further details.