Execution Role and Resource based Policy in AWS Lambda

Photo by 2H Media on Unsplash

Execution Role and Resource based Policy in AWS Lambda

AWS Lambda, a serverless computing service provided by Amazon Web Services, allows users to run code in response to specific events without provisioning or managing servers. When it comes to security and permissions, AWS uses IAM (Identity and Access Management) to help control access to resources. Two key concepts related to permissions in AWS Lambda are the "Execution Role" and "Resource-based Policy".

Let's discuss both and then differentiate between them.

1. Lambda Execution Role

An Execution Role is an AWS Identity and Access Management (IAM) role that Lambda assumes when it runs your function. This role grants the function permission to use other AWS services. In essence, it dictates what other AWS services or resources the Lambda function can talk to or use.

Every Lambda function has an execution role. At a minimum, your function needs access to Amazon CloudWatch Logs for log streaming.

For example, if your Lambda function needs to read an item from a DynamoDB table, you would grant permissions to the execution role to allow the action dynamodb:GetItem on the specific DynamoDB table.

Attributes of Execution Role:

  • It's an IAM role.

  • It has a trust policy that trusts the lambda.amazonaws.com service.

  • It has a permissions policy that you define, granting permissions to the resources your function will access.

Use Case for Execution Role: Imagine you've set up a Lambda function that is triggered whenever an image is uploaded to an S3 bucket. This Lambda function processes the image and then stores metadata about the image in a DynamoDB table. The execution role for this Lambda function would need permissions to read from the S3 bucket and write to the DynamoDB table.

2. Resource-based Policy

A Resource-based Policy is attached directly to the Lambda function resource itself, rather than to a user or role. This policy dictates who or what can invoke your Lambda function.

Lambda resources include functions, versions, aliases, and layer versions. When a user tries to access a Lambda resource, Lambda considers both the user's identity-based policies and the resource's resource-based policy. When an AWS service such as Amazon Simple Storage Service (Amazon S3) calls your Lambda function, Lambda considers only the resource-based policy. To manage permissions for users and applications in your account, it is recommended to use an AWS managed policy.

Attributes of Resource-based Policy:

  • It's a policy attached directly to the Lambda resource.

  • It specifies what actions (like lambda:InvokeFunction) are allowed or denied and who can perform these actions.

  • It's useful for granting cross-account permissions or permissions for AWS services to invoke the function.

Use Case for Resource-based Policy: Let's say you want an S3 bucket in a different AWS account to be able to trigger your Lambda function when a new object is uploaded. You would attach a resource-based policy to your Lambda function granting lambda:InvokeFunction permission to that S3 bucket.

Key Differences:

  1. Purpose:

    • Execution Role: Determines what AWS resources/services the Lambda function can access or interact with.

    • Resource-based Policy: Determines who can invoke the Lambda function.

  2. Attachment:

    • Execution Role: An IAM role that is assumed by Lambda.

    • Resource-based Policy: Attached directly to the Lambda function resource.

  3. Typical Use:

    • Execution Role: Granting a Lambda function permissions to access other AWS services/resources (e.g., reading from S3, writing to DynamoDB).

    • Resource-based Policy: Granting other AWS accounts or AWS services (e.g., API Gateway, S3) permission to invoke the Lambda function.

While both the execution role and the resource-based policy are about permissions, they serve different purposes. The execution role controls what your Lambda function can do within AWS, and the resource-based policy controls who can call or invoke your Lambda function.

Examples of execution role and resource based policies for Lambda:

1. Execution Role Policy (IAM Policy):

This policy allows the Lambda function to write logs to Amazon CloudWatch Logs and read objects from a specific S3 bucket named my-s3-bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-s3-bucket/*"
        }
    ]
}

2. Resource-based Policy:

This policy allows an S3 bucket from another AWS account (with account ID 123456789012) to invoke the Lambda function.

{
  "Version": "2012-10-17",
  "Id": "example-resource-based-policy",
  "Statement": [
    {
      "Sid": "AllowInvokeFromSpecificS3Bucket",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-west-2:987654321098:function:my-lambda-function",
      "Condition": {
        "StringEquals": {
          "aws:SourceArn": "arn:aws:s3:::source-s3-bucket-name"
        }
      }
    }
  ]
}

Note:

  1. The IAM role (Execution Role) is usually associated with the Lambda function at the time of its creation or updating and allows the function to access other AWS resources.

  2. The Resource-based policy is attached directly to the Lambda function and governs who can invoke the function. The above example allows the specified S3 bucket in a different account to invoke the Lambda function.

References:

  1. AWS managed policies for AWS Lambda

  2. Lambda resource access permissions

  3. Using resource-based policies for Lambda

  4. Identity-based IAM policies for Lambda

  5. Lambda execution role

  6. AWS Lambda Permissions: Execution Role and Resource-based Policies