CODEWITHSUNDEEP
amazon-web-servicesaws-lambdaamazon-iam
brasskazoo
brasskazoo

Reputation: 78986

AWS Lambda - Is it possible to restrict an IAM role to create functions with a particular prefix?

I'm adding an IAM role for a SaaS vendor, who has read-only access except for the ability to create Lambda functions.

Initially they requested a broad set of permissions for Lambda:

"Statement": [
{
  "Action": [
    "lambda:CreateFunction",
    "lambda:DeleteFunction",
    "lambda:InvokeFunction",
    "lambda:UpdateFunctionCode",
    "lambda:UpdateFunctionConfiguration"
  ],
  "Effect": "Allow",
  "Resource": "*"
},

I am uncomfortable with allowing this kind of access over resources they don't own, i.e. our business-critical functions.

When I raised this with them, they said that all their functions will be prefixed with their company name (e.g. company_prefix), so I thought I might be able to do this:

...
"Resource": "arn:aws:lambda::<account>:function:company_prefix*"
...

But reviewing the policy in the console editor suggests a problem: IAM Policy Editor

Is this not going to work? Is it possible to restrict Lambda function permissions in this way?

Upvotes: 1

Views: 1460

Answers (1)

jarmod
jarmod

Reputation: 78908

Yes, IAM does support resource-level permissions for Lambda.

I tested a variant of your policy on a new IAM user. For Lambda function names matching the wildcard, I was successful. For non-matching function names I got AccessDeniedException.

I did not test all the listed Lambda actions (just GetFunctionConfiguration because it was simple to test) so please test that this does what you need.

Note: when you test this you will need to be patient as IAM policy changes do not always take effect immediately.

Upvotes: 3

Related Questions