Actions, Resources, and Condition Keys for AWS Lambda - AWS Identity and Access Management

Actions, Resources, and Condition Keys for AWS Lambda

AWS Lambda (service prefix: lambda) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Lambda

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource Types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AddLayerVersionPermission Grants permission to add permissions to the resource-based policy of a version of an AWS Lambda layer Permissions management

layerVersion*

AddPermission Grants permission to give an AWS service or another account permission to use an AWS Lambda function Permissions management

function*

lambda:Principal

CreateAlias Grants permission to create an alias for a Lambda function version Write

function*

CreateEventSourceMapping Grants permission to create a mapping between an event source and an AWS Lambda function Write

lambda:FunctionArn

CreateFunction Grants permission to create an AWS Lambda function Write

function*

lambda:Layer

lambda:VpcIds

lambda:SubnetIds

lambda:SecurityGroupIds

DeleteAlias Grants permission to delete an AWS Lambda function alias Write

function*

DeleteEventSourceMapping Grants permission to delete an AWS Lambda event source mapping Write

eventSourceMapping*

lambda:FunctionArn

DeleteFunction Grants permission to delete an AWS Lambda function Write

function*

DeleteFunctionConcurrency Grants permission to remove a concurrent execution limit from an AWS Lambda function Write

function*

DeleteFunctionEventInvokeConfig Grants permission to delete the configuration for asynchronous invocation for an AWS Lambda function, version, or alias Write

function*

DeleteLayerVersion Grants permission to delete a version of an AWS Lambda layer Write

layerVersion*

DeleteProvisionedConcurrencyConfig Grants permission to delete the provisioned concurrency configuration for an AWS Lambda function Write

function alias

function version

DisableReplication [permission only] Grants permission to disable replication for a Lambda@Edge function Permissions management

function*

EnableReplication [permission only] Grants permission to enable replication for a Lambda@Edge function Permissions management

function*

GetAccountSettings Grants permission to view details about an account's limits and usage in an AWS Region Read
GetAlias Grants permission to view details about an AWS Lambda function alias Read

function*

GetEventSourceMapping Grants permission to view details about an AWS Lambda event source mapping Read

eventSourceMapping*

lambda:FunctionArn

GetFunction Grants permission to view details about an AWS Lambda function Read

function*

GetFunctionConcurrency Grants permission to view details about the reserved concurrency configuration for a function Read

function*

GetFunctionConfiguration Grants permission to view details about the version-specific settings of an AWS Lambda function or version Read

function*

GetFunctionEventInvokeConfig Grants permission to view the configuration for asynchronous invocation for a function, version, or alias Read

function*

GetLayerVersion Grants permission to view details about a version of an AWS Lambda layer Read

layerVersion*

GetLayerVersionByArn Grants permission to view details about a version of an AWS Lambda layer Read

layerVersion*

GetLayerVersionPolicy Grants permission to view the resource-based policy for a version of an AWS Lambda layer Read

layerVersion*

GetPolicy Grants permission to view the resource-based policy for an AWS Lambda function, version, or alias Read

function*

GetProvisionedConcurrencyConfig Grants permission to view the provisioned concurrency configuration for an AWS Lambda function's alias or version Read

function alias

function version

InvokeAsync (Deprecated) Grants permission to invoke a function asynchronously Write

function*

InvokeFunction [permission only] Grants permission to invoke an AWS Lambda function Write

function*

ListAliases Grants permission to retrieve a list of aliases for an AWS Lambda function List

function*

ListEventSourceMappings Grants permission to retrieve a list of AWS Lambda event source mappings List
ListFunctionEventInvokeConfigs Grants permission to retrieve a list of configurations for asynchronous invocation for a function List

function*

ListFunctions Grants permission to retrieve a list of AWS Lambda functions, with the version-specific configuration of each function List
ListLayerVersions Grants permission to retrieve a list of versions of an AWS Lambda layer List
ListLayers Grants permission to retrieve a list of AWS Lambda layers, with details about the latest version of each layer List
ListProvisionedConcurrencyConfigs Grants permission to retrieve a list of provisioned concurrency configurations for an AWS Lambda function List

function*

ListTags Grants permission to retrieve a list of tags for an AWS Lambda function Read

function*

ListVersionsByFunction Grants permission to retrieve a list of versions for an AWS Lambda function List

function*

PublishLayerVersion Grants permission to create an AWS Lambda layer Write

layer*

PublishVersion Grants permission to create an AWS Lambda function version Write

function*

PutFunctionConcurrency Grants permission to configure reserved concurrency for an AWS Lambda function Write

function*

PutFunctionEventInvokeConfig Grants permission to configures options for asynchronous invocation on an AWS Lambda function, version, or alias Write

function*

PutProvisionedConcurrencyConfig Grants permission to configure provisioned concurrency for an AWS Lambda function's alias or version Write

function alias

function version

RemoveLayerVersionPermission Grants permission to remove a statement from the permissions policy for a version of an AWS Lambda layer Permissions management

layerVersion*

RemovePermission Grants permission to revoke function-use permission from an AWS service or another account Permissions management

function*

lambda:Principal

TagResource Grants permission to add tags to an AWS Lambda function Write

function*

UntagResource Grants permission to remove tags from an AWS Lambda function Write

function*

UpdateAlias Grants permission to update the configuration of an AWS Lambda function's alias Write

function*

UpdateEventSourceMapping Grants permission to update the configuration of an AWS Lambda event source mapping Write

eventSourceMapping*

lambda:FunctionArn

UpdateFunctionCode Grants permission to update the code of an AWS Lambda function Write

function*

UpdateFunctionConfiguration Grants permission to modify the version-specific settings of an AWS Lambda function Write

function*

lambda:Layer

lambda:VpcIds

lambda:SubnetIds

lambda:SecurityGroupIds

UpdateFunctionEventInvokeConfig Grants permission to modify the configuration for asynchronous invocation for an AWS Lambda function, version, or alias Write

function*

Resource Types Defined by AWS Lambda

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
function arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}
function version arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}:${Version}
function alias arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}:${Alias}
layer arn:${Partition}:lambda:${Region}:${Account}:layer:${LayerName}
layerVersion arn:${Partition}:lambda:${Region}:${Account}:layer:${LayerName}:${LayerVersion}
eventSourceMapping arn:${Partition}:lambda:${Region}:${Account}:event-source-mapping:${UUID}

Condition Keys for AWS Lambda

AWS Lambda defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
lambda:FunctionArn Filters access by the ARN of an AWS Lambda function ARN
lambda:Layer Filters access by the ARN of an AWS Lambda layer String
lambda:Principal Filters access by restricting the AWS service or account that can invoke a function String
lambda:SecurityGroupIds Filters access by the ID of security groups configured for the AWS Lambda function String
lambda:SubnetIds Filters access by the ID of subnets configured for the AWS Lambda function String
lambda:VpcIds Filters access by the ID of the VPC configured for the AWS Lambda function String