When you are setting up Access Control and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each AWS Lambda API operation, the corresponding actions for which you can grant permissions to perform the action, the AWS resource for which you can grant the permissions and condition keys for specified API actions. You specify the actions in the policy's Action field, the resource value in the policy's Resource field and a condition key in the policy's Condition keys field.
To specify an action, use the lambda: prefix followed by the API operation name (for example, lambda:CreateFunction).
Note
Permissions for the AWS Lambda Invoke API in the following table can also be granted by using resource-based policies. For more information, see Using Resource-Based Policies for AWS Lambda (Lambda Function Policies).
You can use AWS-wide condition keys in your AWS Lambda policies to express conditions. For a complete list of AWS-wide keys, see Available Keys for Conditions in the IAM User Guide.
AWS Lambda also offers predefined condition keys to a limited set of API operations. For example, you can:
-
Restrict access based on the Lambda function ARN (Amazon Resource Name) to the following operations:
- CreateEventSourceMapping
- DeleteEventSourceMapping
- UpdateEventSourceMapping
The following is an example policy that applies this condition:
"Version": "2012-10-17", "Statement": [ { "Sid": "DeleteEventSourceMappingPolicy", "Effect": "Allow", "Action": [ "lambda:DeleteEventSourceMapping" ], "Resource": "arn:aws:lambda:region:account-id:event-source-mapping:UUID", "Condition": {"StringEquals": {"lambda:FunctionArn": "arn:aws:lambda:region:account-id:function:function-name}} } ] -
Restrict mapping based on the AWS service principal to the following operations:
- AddPermission
- RemovePermission
The following is an example policy that applies this condition:
"Version": "2012-10-17", "Statement": [ { "Sid": "AddPermissionPolicy", "Effect": "Allow", "Action": [ "lambda:AddPermission" ], "Resource": "arn:aws:lambda:region:account-id:function:function-name", "Condition": {"StringEquals": {"lambda:Principal": "s3.amazonaws.com"}} } ]
AWS Lambda API and Required Permissions for Actions
| API Actions | Resources | Condition Key |
|---|---|---|
API: AddLayerVersionPermission Required Permission: lambda:AddLayerVersionPermission |
arn:aws:lambda:region:account-id:layer:layer-name:1 | N/A |
API: AddPermission Required Permission: lambda:AddPermission |
arn:aws:lambda:region:account-id:function:function-name |
lambda:Principal |
API: CreateAlias Required Permission: lambda:CreateAlias |
arn:aws:lambda:region:account-id:function:function-name |
N/A |
API: CreateEventSourceMapping Required Permissions: lambda:CreateEventSourceMapping |
* | lambda:FunctionArn |
API: CreateFunction Required Permissions: lambda:CreateFunction |
arn:aws:lambda:region:account-id:function:function-name | lambda:Layer |
API: DeleteAlias Required Permission: lambda:DeleteAlias |
arn:aws:lambda:region:account-id:function:function-name | N/A |
API: DeleteEventSourceMapping Required Permission: lambda:DeleteEventSourceMapping |
arn:aws:lambda:region:account-id:event-source-mapping:UUID |
lambda:FunctionArn |
API: DeleteFunction Required Permission: lambda:DeleteFunction |
arn:aws:lambda:region:account-id:function:function-name |
N/A |
API: DeleteLayerVersion Required Permission: lambda:DeleteLayerVersion |
arn:aws:lambda:region:account-id:layer:layer-name:1 |
N/A |
API: GetAccountSettings Required Permission: lambda:GetAccountSettings |
* |
N/A |
API: GetAlias Required Permission: lambda:GetAlias |
arn:aws:lambda:region:account-id:function:function-name |
N/A |
API: GetEventSourceMapping Required Permission: lambda:GetEventSourceMapping |
* |
N/A |
API: GetFunction Required Permission: lambda:GetFunction |
arn:aws:lambda:region:account-id:function:function-name |
N/A |
API: GetFunctionConfiguration Required Permission: lambda:GetFunctionConfiguration |
arn:aws:lambda:region:account-id:function:function-name |
N/A |
API: GetLayerVersion Required Permission: lambda:GetLayerVersion |
arn:aws:lambda:region:account-id:layer:layer-name:1 |
aws:PrincipalOrgID |
API: GetLayerVersionPolicy Required Permission: lambda:GetLayerVersionPolicy |
arn:aws:lambda:region:account-id:layer:layer-name:1 |
N/A |
API: GetPolicy Required Permission: lambda:GetPolicy |
arn:aws:lambda:region:account-id:function:function-name | N/A |
API: Invoke Required Permission: lambda:InvokeFunction |
arn:aws:lambda:region:account-id:function:function-name |
N/A |
| API: ListAliases Required Permission: lambda:ListAliases | arn:aws:lambda:region:account-id:function:function-name |
N/A |
API: ListEventSourceMappings Required Permission: lambda:ListEventSourceMappings |
* |
N/A |
API: ListFunctions Required Permission: lambda:ListFunctions |
* |
N/A |
API: ListLayers Required Permission: lambda:ListLayers |
* |
N/A |
API: ListLayerVersions Required Permission: lambda:ListLayerVersions |
* |
N/A |
API: ListTags Required Permission: lambda:ListTags |
* |
N/A |
API: ListVersionsByFunction Required Permission: lambda:ListVersionsByFunction |
arn:aws:lambda:region:account-id:function:function-name |
N/A |
API: PublishVersion Required Permission: lambda:PublishVersion |
arn:aws:lambda:region:account-id:function:function-name |
N/A |
API: PublishLayerVersion Required Permission: lambda:PublishLayerVersion |
arn:aws:lambda:region:account-id:layer:layer-name |
N/A |
API: RemoveLayerVersionPermission Required Permission: lambda:RemoveLayerVersionPermission |
arn:aws:lambda:region:account-id:layer:layer-name:1 |
N/A |
API: RemovePermission Required Permission: lambda:RemovePermission |
arn:aws:lambda:region:account-id:function:function-name |
lambda:Principal |
API: TagResource Required Permission: lambda:TagResource |
* |
N/A |
API: UntagResource Required Permission: lambda:UntagResource |
* |
N/A |
API: UpdateAlias Required Permission: lambda:UpdateAlias |
arn:aws:lambda:region:account-id:function:function-name |
N/A |
API: UpdateEventSourceMapping Required Permissions: lambda:UpdateEventSourceMapping |
arn:aws:lambda:region:account-id:event-source-mapping:UUID |
lambda:FunctionArn |
API: UpdateFunctionCode Required Permissions: lambda:UpdateFunctionCode |
arn:aws:lambda:region:account-id:function:function-name |
N/A |
API: UpdateFunctionConfiguration Required Permissions: lambda:UpdateFunctionConfiguration |
arn:aws:lambda:region:account-id:function:function-name | lambda:Layer |