Ensure that the IAM execution roles associated with your Amazon Lambda functions are using customer-managed policies, also known as user-managed policies, to provide fine-grained access control for your Lambda functions.
excellence
A Lambda function's execution role is an AWS Identity and Access Management (IAM) role that grants the function permission to access specific AWS services and resources. For example, a function's execution role can provide the necessary permissions to send logs to Amazon CloudWatch Logs or to read events from an Amazon Kinesis data stream or consumer. In most cases, AWS-managed policies should be enough for granting access to main services and resources. However, using customer-managed policies instead of AWS-managed policies for Lambda execution roles should provide fine-grained control over permissions, allowing tailored access to AWS cloud resources. This approach suits complex use cases where AWS-managed policies might be too broad or too limited, ensuring precise permissions while adhering to the Principle of Least Privilege.
Audit
To determine if the IAM execution roles associated with your Lambda functions are using customer-managed policies, perform the following operations:
Remediation / Resolution
To ensure that the IAM execution role associated with your Amazon Lambda functions is using customer-managed policies only, perform the following operations:
References
- AWS Documentation
- Lambda resource access permissions
- Lambda execution role
- Identity-based IAM policies for Lambda
- Configuring Lambda function options
- AWS Command Line Interface (CLI) Documentation
- list-functions
- get-function
- list-attached-role-policies
- detach-role-policy
- delete-role-policy
- attach-role-policy