AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Lambda

AWS Lambda (service prefix: lambda) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Lambda

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AddPermission Adds a permission to the resource policy associated with the specified AWS Lambda function. Permissions management

function*

CreateAlias Creates an alias that points to the specified Lambda function version. Write

function*

CreateEventSourceMapping Identifies a stream as an event source for a Lambda function. Write
CreateFunction Creates a new Lambda function. Write
DeleteAlias Deletes the specified Lambda function alias. Write

function*

DeleteEventSourceMapping Removes an event source mapping. Write
DeleteFunction Deletes the specified Lambda function code and configuration. Write

function*

DeleteFunctionConcurrency Remove concurrency limit set on a Lambda function. Write

function*

EnableReplication Adds a permission to resource policy that gives Lambda replication service permission to get function code and configuration. Permissions management

function*

GetAccountSettings Returns account limits and usage statistics, such as concurrency and code storage. Read
GetAlias Returns the specified alias information such as the alias ARN, description, and function version it is pointing to. Read

function*

GetEventSourceMapping Returns configuration information for the specified event source mapping. Read
GetFunction Returns the configuration information of the Lambda function and a presigned URL link to the .zip file you uploaded with CreateFunction so you can download the .zip file. Read

function*

GetFunctionConfiguration Returns the configuration information of the Lambda function. Read

function*

GetPolicy Returns the resource policy associated with the specified Lambda function. Read

function*

InvokeAsync Submits an invocation request to AWS Lambda. Is deprecated Write

function*

InvokeFunction Invokes a specific Lambda function. Write

function*

ListAliases Returns list of aliases created for a Lambda function. List

function*

ListEventSourceMappings Returns a list of event source mappings you created using the CreateEventSourceMapping. List
ListFunctions Returns a list of your Lambda functions. List
ListTags Lists tags for a Lambda function. Read

function*

ListVersionsByFunction List all versions of a function. List

function*

PublishVersion Publishes a version of your function from the current snapshot of $LATEST. Write

function*

PutFunctionConcurrency Adds concurrency limit to a Lambda function. Write

function*

RemovePermission You can remove individual permissions from an resource policy associated with a Lambda function by providing a statement ID that you provided when you added the permission. Permissions management

function*

TagResource Adds tags to a Lambda function. Write

function*

UntagResource Removes tags from a Lambda function. Write

function*

UpdateAlias Using this API you can update the function version to which the alias points and the alias description. Write

function*

UpdateEventSourceMapping You can update an event source mapping. Write
UpdateFunctionCode Updates the code for the specified Lambda function. Write

function*

UpdateFunctionConfiguration Updates the configuration parameters for the specified Lambda function by using the values provided in the request. Write

function*

Resources Defined by Lambda

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
function arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}

Condition Keys for AWS Lambda

Lambda has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.