Lambda Function Execution Roles with Inline Policies

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the Amazon Lambda function that you want to examine.

05 Select the Configuration tab and choose Permissions to access the permissions defined for the selected Lambda resource.

06 In the Execution role section, click on the name (link) of the IAM execution role associated with the function, listed under Role name.

07 Select the Permissions tab and check the Type column for each IAM policy listed in the Permissions policies section. If the role has one or more customer-inline policies, the IAM execution role associated with the selected Amazon Lambda function is using inline policies.

08 Repeat steps no. 4 – 7 for each Amazon Lambda function created within the current AWS cloud region.

09 Change the AWS cloud region from the navigation bar and repeat the Audit process for the other AWS regions.

01 Run list-functions command (OSX/Linux/UNIX) to list the name of each Amazon Lambda function available in the selected AWS cloud region:

aws lambda list-functions
  --region us-east-1
  --output table
  --query 'Functions[*].FunctionName'

02 The command output should return a table with the requested function name(s):

---------------------------------
|         ListFunctions         |
+-------------------------------+
|  cc-process-stream-function   |
|  cc-dynamo-exporter-function  |
+-------------------------------+

03 Run get-function command (OSX/Linux/UNIX) using the name of the Amazon Lambda function that you want to examine as the identifier parameter, to describe the Amazon Resource Name (ARN) of the IAM execution role associated with the selected function:

aws lambda get-function
  --region us-east-1
  --function-name cc-process-stream-function
  --query 'Configuration.Role'

04 The command output should return the execution role ARN. The Amazon Resource Name (ARN) includes the role name, e.g. "cc-lambda-stream-execution-role":

"arn:aws:iam::123456789012:role/service-role/cc-lambda-stream-execution-role"

05 Run list-role-policies command (OSX/Linux/UNIX) with custom query filters to describe the names of the inline policies associated the Lambda function execution role:

aws iam list-role-policies
  --role-name cc-lambda-stream-execution-role
  --query 'PolicyNames'

06 The command output should return the name of each inline policy associated with the selected IAM role:

[
	"cc-root-inline-policy",
	"cc-custom-inline-policy"
]

07 Repeat steps no. 3 – 6 for each Amazon Lambda function available in the selected AWS cloud region.

08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the Audit process for other AWS regions.

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Lambda console at https://console.aws.amazon.com/lambda/.

03 In the left navigation panel, under AWS Lambda, choose Functions.

04 Click on the name (link) of the Amazon Lambda function that you want to configure.

05 Select the Configuration tab and choose Permissions to access the permissions defined for the selected Lambda resource.

06 In the Execution role section, click on the name (link) of the IAM execution role associated with the function, listed under Role name.

07 Select the Permissions tab to access the policies attached to the IAM execution role.

08 In the Permissions policies section, perform the following operations:

1. Select the customer-inline policy that you want to remove from the associated IAM role and choose Remove.
2. Inside the Remove [policy-name] confirmation box, enter the inline policy name in the text input field, and choose Delete to confirm the removal.
3. To attach managed policies, choose Add permissions, Attach policies, and select one or more managed policies that you want to attach to your IAM execution role. Choose Add permissions to apply the permission changes.

09 Repeat steps no. 4 – 8 to reconfigure the IAM execution role for other Amazon Lambda functions available within the current AWS region.

10 Change the AWS region from the navigation bar and repeat the remediation process for the other regions.

01 Run delete-role-policy command (OSX/Linux/UNIX) to remove any customer-inline policies from the associated IAM execution role (the command does not return an output):

aws iam delete-role-policy 
  --role-name cc-lambda-stream-execution-role
  --policy-name cc-root-inline-policy

02 Run attach-role-policy command (OSX/Linux/UNIX) to attach the required managed policies to the IAM execution role associated with your Amazon Lambda function. In the following command request example, the "AWSLambdaMQExecutionRole" managed policy provides permission to read records from an Amazon MQ broker (the command does not produce an output):

aws iam attach-role-policy
  --role-name cc-lambda-stream-execution-role
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaMQExecutionRole

03 Repeat steps no. 1 and 2 to reconfigure the IAM execution role for other Amazon Lambda functions available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 to perform the Remediation process for other AWS regions.