AWS Lambda - invoke restrictions

Question

How can I make sure that only a specific EC2 instance (or at least an instance inside a specific VPC or AWS account) can call a lambda I have in the same account?

Answer 1

I think this would be a use case for a resource based policy: https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html

This allows you to define who can invoke the Lambda function. So you should be able to use your account as the principal to achieve what you want.

Answer 2

The ability to invoke an AWS Lambda function can be configured in IAM.

By default, nobody has permission to do anything, so you would need to grant the permission to the IAM Role associated with the instance.

However, if you have other IAM Users or IAM Roles that have wide permissions for Lambda (eg lambda:*), then they would also be able to invoke the Lambda function. I am not aware of a permission you can put on the Lambda function itself to override such widely-granted permissions.

I took a look at the context that is passed to a Lambda function, but it doesn't seem to identify the entity that invoked the function. That means the function itself can't check the caller's identity either.

Answer 3

You can put your Lambda function behind a private API in Amazon API Gateway.

Documentation: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html

Using Amazon API Gateway, you can create private REST APIs that can only be accessed from your virtual private cloud in Amazon VPC by using an interface VPC endpoint. This is an endpoint network interface that you create in your VPC.