Serverless

Lambda

Policies

Function policy	Defines which AWS resources are allowed to invoke your function
Execution role	Defines which AWS resources your function can access At minimum CloudWatch logs creategroup/createstream/putevents Potentially also XRay write, SQS/Kinesis/dynamodb read to get the event data
Resource policies	Resources: functions, their versions and aliases, and layer versions arn:aws:lambda:region:123456789012:function:my-function arn:aws:lambda:region:123456789012:function:my-function:1: version arn:aws:lambda:region:123456789012:function:my-function:TEST: alias Use to give other services and other accounts permission to use them The console updates function policies automatically when you add a trigger to give the triggering service access
Identity policies	To give users the ability to create functions with limited permissions, constrain what roles they can iam:PassRole on To give users the ability to add resource permissions to functions so they can be invoked, but only from specific sources

Other

Integrity

• Code Signing allows to configure Lambda functions to only accept signed code on deployment (TF module)

VPC access

• Can access resources in a VPC if subnet and security group is specified
• No internet access unless there is a NAT in the VPC
• No AWS service access unless there is internet access or VPC gateways
• Role needs ability to create network interfaces in each subnet (and VPC must have ENI capacity & subnets must have spare IPs)

---

1. Anatomy of AWS Lambda ↩

2. Access Keys in AWS Lambda ↩

3. A visual introduction to AWS Lambda permissions ↩

4. Security Overview of AWS Lambda ↩