Working with resource-based IAM policies in Lambda

Lambda supports resource-based permissions policies for Lambda functions and layers. You can use resource-based policies to grant access to other AWS accounts, organizations, or services. Resource-based policies apply to a single function, version, alias, or layer version.

Console

To view a function's resource-based policy

Open the Functions page of the Lambda console.
Choose a function.
Choose Configuration and then choose Permissions.

Scroll down to Resource-based policy and then choose View policy document. The resource-based policy shows the permissions that are applied when another account or AWS service attempts to access the function. The following example shows a statement that allows Amazon S3 to invoke a function named my-function for a bucket named amzn-s3-demo-bucket in account 123456789012.

Example Resource-based policy


{
    "Version": "2012-10-17",
    "Id": "default",
    "Statement": [
        {
            "Sid": "lambda-allow-s3-my-function",
            "Effect": "Allow",
            "Principal": {
              "Service": "s3.amazonaws.com"
            },
            "Action": "lambda:InvokeFunction",
            "Resource":  "arn:aws:lambda:us-east-2:123456789012:function:my-function",
            "Condition": {
              "StringEquals": {
                "AWS:SourceAccount": "123456789012"
              },
              "ArnLike": {
                "AWS:SourceArn": "arn:aws:s3:::amzn-s3-demo-bucket"
              }
            }
        }
     ]
}

AWS CLI

To view a function's resource-based policy, use the get-policy command.


aws lambda get-policy \
  --function-name my-function \
  --output text

You should see the following output:


{"Version":"2012-10-17","Id":"default","Statement":[{"Sid":"sns","Effect":"Allow","Principal":{"Service":"s3.amazonaws.com"},"Action":"lambda:InvokeFunction","Resource":"arn:aws:lambda:us-east-2:123456789012:function:my-function","Condition":{"ArnLike":{"AWS:SourceArn":"arn:aws:sns:us-east-2:123456789012:lambda*"}}}]}      7c681fc9-b791-4e91-acdf-eb847fdaa0f0

For versions and aliases, append the version number or alias to the function name.


aws lambda get-policy --function-name my-function:PROD

To remove permissions from your function, use remove-permission.


aws lambda remove-permission \
  --function-name example \
  --statement-id sns

Use the get-layer-version-policy command to view the permissions on a layer.


aws lambda get-layer-version-policy \
  --layer-name my-layer \
  --version-number 3 \
  --output text

You should see the following output:

b0cd9796-d4eb-4564-939f-de7fe0b42236    {"Sid":"engineering-org","Effect":"Allow","Principal":"*","Action":"lambda:GetLayerVersion","Resource":"arn:aws:lambda:us-west-2:123456789012:layer:my-layer:3","Condition":{"StringEquals":{"aws:PrincipalOrgID":"o-t194hfs8cz"}}}"

Use remove-layer-version-permission to remove statements from the policy.


aws lambda remove-layer-version-permission --layer-name my-layer --version-number 3 --statement-id engineering-org

Supported API actions

The following Lambda API actions support resource-based policies:

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Layer access

Function access for AWS services