AWS Lambda
Developer Guide

Lambda API Permissions: Actions, Resources, and Conditions Reference

When you are setting up Access Control and writing permissions policies that you can attach to an IAM identity (identity-based policies), you can use the following table as a reference. The table lists each AWS Lambda API operation, the corresponding actions for which you can grant permissions to perform the action, the AWS resource for which you can grant the permissions and condition keys for specified API actions. You specify the actions in the policy's Action field, the resource value in the policy's Resource field and a condition key in the policy's Condition keys field.

To specify an action, use the lambda: prefix followed by the API operation name (for example, lambda:CreateFunction).

Note

Permissions for the AWS Lambda Invoke API in the following table can also be granted by using resource-based policies. For more information, see Using Resource-Based Policies for AWS Lambda (Lambda Function Policies).

You can use AWS-wide condition keys in your AWS Lambda policies to express conditions. For a complete list of AWS-wide keys, see Available Keys for Conditions in the IAM User Guide.

AWS Lambda also offers predefined condition keys to a limited set of API operations. For example, you can:

  • Restrict access based on the Lambda function ARN (Amazon Resource Name) to the following operations:

    • CreateEventSourceMapping

    • DeleteEventSourceMapping

    • UpdateEventSourceMapping

    The following is an example policy that applies this condition:

    "Version": "2012-10-17", "Statement": [ { "Sid": "DeleteEventSourceMappingPolicy", "Effect": "Allow", "Action": [ "lambda:DeleteEventSourceMapping" ], "Resource": "arn:aws:lambda:region:account-id:event-source-mapping:UUID", "Condition": {"StringEquals": {"lambda:FunctionArn": "arn:aws:lambda:region:account-id:function:function-name}} } ]
  • Restrict mapping based on the AWS service principal to the following operations:

    • AddPermission

    • RemovePermission

    The following is an example policy that applies this condition:

    "Version": "2012-10-17", "Statement": [ { "Sid": "AddPermissionPolicy", "Effect": "Allow", "Action": [ "lambda:AddPermission" ], "Resource": "arn:aws:lambda:region:account-id:function:function-name", "Condition": {"StringEquals": {"lambda:Principal": "s3.amazonaws.com"}} } ]

AWS Lambda API and Required Permissions for Actions

API Actions Resources Condition Key

API: AddLayerVersionPermission

Required Permission: lambda:AddLayerVersionPermission

arn:aws:lambda:region:account-id:layer:layer-name:1 N/A

API: AddPermission

Required Permission: lambda:AddPermission

arn:aws:lambda:region:account-id:function:function-name

lambda:Principal

API: CreateAlias

Required Permission: lambda:CreateAlias

arn:aws:lambda:region:account-id:function:function-name

N/A

API: CreateEventSourceMapping

Required Permissions: lambda:CreateEventSourceMapping

*

lambda:FunctionArn

API: CreateFunction

Required Permissions: lambda:CreateFunction

arn:aws:lambda:region:account-id:function:function-name

lambda:Layer

API: DeleteAlias

Required Permission: lambda:DeleteAlias

arn:aws:lambda:region:account-id:function:function-name

N/A

API: DeleteEventSourceMapping

Required Permission: lambda:DeleteEventSourceMapping

arn:aws:lambda:region:account-id:event-source-mapping:UUID

lambda:FunctionArn

API: DeleteFunction

Required Permission: lambda:DeleteFunction

arn:aws:lambda:region:account-id:function:function-name

N/A

API: DeleteLayerVersion

Required Permission: lambda:DeleteLayerVersion

arn:aws:lambda:region:account-id:layer:layer-name:1

N/A

API: GetAccountSettings

Required Permission: lambda:GetAccountSettings

*

N/A

API: GetAlias

Required Permission: lambda:GetAlias

arn:aws:lambda:region:account-id:function:function-name

N/A

API: GetEventSourceMapping

Required Permission: lambda:GetEventSourceMapping

*

N/A

API: GetFunction

Required Permission: lambda:GetFunction

arn:aws:lambda:region:account-id:function:function-name

N/A

API: GetFunctionConfiguration

Required Permission: lambda:GetFunctionConfiguration

arn:aws:lambda:region:account-id:function:function-name

N/A

API: GetLayerVersion

Required Permission: lambda:GetLayerVersion

arn:aws:lambda:region:account-id:layer:layer-name:1

aws:PrincipalOrgID

API: GetLayerVersionPolicy

Required Permission: lambda:GetLayerVersionPolicy

arn:aws:lambda:region:account-id:layer:layer-name:1

N/A

API: GetPolicy

Required Permission: lambda:GetPolicy

arn:aws:lambda:region:account-id:function:function-name

N/A

API: Invoke

Required Permission: lambda:InvokeFunction

arn:aws:lambda:region:account-id:function:function-name

N/A

API: ListAliases

Required Permission: lambda:ListAliases

arn:aws:lambda:region:account-id:function:function-name

N/A

API: ListEventSourceMappings

Required Permission: lambda:ListEventSourceMappings

*

N/A

API: ListFunctions

Required Permission: lambda:ListFunctions

*

N/A

API: ListLayers

Required Permission: lambda:ListLayers

*

N/A

API: ListLayerVersions

Required Permission: lambda:ListLayerVersions

*

N/A

API: ListTags

Required Permission: lambda:ListTags

*

N/A

API: ListVersionsByFunction

Required Permission: lambda:ListVersionsByFunction

arn:aws:lambda:region:account-id:function:function-name

N/A

API: PublishVersion

Required Permission: lambda:PublishVersion

arn:aws:lambda:region:account-id:function:function-name

N/A

API: PublishLayerVersion

Required Permission: lambda:PublishLayerVersion

arn:aws:lambda:region:account-id:layer:layer-name

N/A

API: RemoveLayerVersionPermission

Required Permission: lambda:RemoveLayerVersionPermission

arn:aws:lambda:region:account-id:layer:layer-name:1

N/A

API: RemovePermission

Required Permission: lambda:RemovePermission

arn:aws:lambda:region:account-id:function:function-name

lambda:Principal

API: TagResource

Required Permission: lambda:TagResource

*

N/A

API: UntagResource

Required Permission: lambda:UntagResource

*

N/A

API: UpdateAlias

Required Permission: lambda:UpdateAlias

arn:aws:lambda:region:account-id:function:function-name

N/A

API: UpdateEventSourceMapping

Required Permissions: lambda:UpdateEventSourceMapping

arn:aws:lambda:region:account-id:event-source-mapping:UUID

lambda:FunctionArn

API: UpdateFunctionCode

Required Permissions: lambda:UpdateFunctionCode

arn:aws:lambda:region:account-id:function:function-name

N/A

API: UpdateFunctionConfiguration

Required Permissions: lambda:UpdateFunctionConfiguration

arn:aws:lambda:region:account-id:function:function-name lambda:Layer