AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Lambda

AWS Lambda (service prefix: lambda) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Lambda

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AddLayerVersionPermission Adds a permission policy to a version of a function layer. Permissions management

layerVersion*

AddPermission Adds a permission to the resource policy associated with the specified AWS Lambda function. Permissions management

function*

lambda:Principal

CreateAlias Creates an alias that points to the specified Lambda function version. Write

function*

CreateEventSourceMapping Identifies a stream as an event source for a Lambda function. Write

lambda:FunctionArn

CreateFunction Creates a new Lambda function. Write

function*

lambda:Layer

DeleteAlias Deletes the specified Lambda function alias. Write

function*

DeleteEventSourceMapping Removes an event source mapping. Write

eventSourceMapping*

lambda:FunctionArn

DeleteFunction Deletes the specified Lambda function code and configuration. Write

function*

DeleteFunctionConcurrency Remove concurrency limit set on a Lambda function. Write

function*

DeleteLayerVersion Deletes a version of a function layer. Write

layerVersion*

EnableReplication Adds a permission to resource policy that gives Lambda replication service permission to get function code and configuration. Permissions management

function*

GetAccountSettings Returns account limits and usage statistics, such as concurrency and code storage. Read
GetAlias Returns the specified alias information such as the alias ARN, description, and function version it is pointing to. Read

function*

GetEventSourceMapping Returns configuration information for the specified event source mapping. Read

eventSourceMapping*

lambda:FunctionArn

GetFunction Returns the configuration information of the Lambda function and a presigned URL link to the .zip file you uploaded with CreateFunction so you can download the .zip file. Read

function*

GetFunctionConfiguration Returns the configuration information of the Lambda function. Read

function*

GetLayerVersion Returns information about a version of a function layer, with a link to download the layer archive that is valid for 10 minutes. Read

layerVersion*

GetLayerVersionPolicy Returns the permissions policy for a layer version. Read

layerVersion*

GetPolicy Returns the resource policy associated with the specified Lambda function. Read

function*

InvokeAsync Submits an invocation request to AWS Lambda. Is deprecated Write

function*

InvokeFunction [permission only] Invokes a specific Lambda function. Write

function*

ListAliases Returns list of aliases created for a Lambda function. List

function*

ListEventSourceMappings Returns a list of event source mappings you created using the CreateEventSourceMapping. List
ListFunctions Returns a list of your Lambda functions. List
ListLayerVersions Returns a list of your Lambda layer versions. List
ListLayers Lists function layers and shows information about the latest version of each. List
ListTags Lists tags for a Lambda function. Read

function*

ListVersionsByFunction List all versions of a function. List

function*

PublishLayerVersion Creates a function layer from a ZIP archive. Each time you call PublishLayerVersion with the same version name, a new version is created. Write

layer*

PublishVersion Publishes a version of your function from the current snapshot of $LATEST. Write

function*

PutFunctionConcurrency Adds concurrency limit to a Lambda function. Write

function*

RemoveLayerVersionPermission Removes a statement from the permissions policy for a layer version. Permissions management

layerVersion*

RemovePermission You can remove individual permissions from an resource policy associated with a Lambda function by providing a statement ID that you provided when you added the permission. Permissions management

function*

lambda:Principal

TagResource Adds tags to a Lambda function. Write

function*

UntagResource Removes tags from a Lambda function. Write

function*

UpdateAlias Using this API you can update the function version to which the alias points and the alias description. Write

function*

UpdateEventSourceMapping You can update an event source mapping. Write

eventSourceMapping*

lambda:FunctionArn

UpdateFunctionCode Updates the code for the specified Lambda function. Write

function*

UpdateFunctionConfiguration Updates the configuration parameters for the specified Lambda function by using the values provided in the request. Write

function*

lambda:Layer

Resources Defined by Lambda

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
function arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}
layer arn:${Partition}:lambda:${Region}:${Account}:layer:${LayerName}
layerVersion arn:${Partition}:lambda:${Region}:${Account}:layer:${LayerName}:${LayerVersion}
eventSourceMapping arn:${Partition}:lambda:${Region}:${Account}:event-source-mapping:${UUID}

Condition Keys for AWS Lambda

AWS Lambda defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
lambda:FunctionArn The ARN of a lambda function. ARN
lambda:Layer The ARN of a lambda layer. String
lambda:Principal The AWS principal. String