Applying the principles of least privilege - AWS Lambda

Applying the principles of least privilege

AWS Identity and Access Management (IAM) is the service used to manage access to AWS services. Before using IAM, it’s important to review security best practices that apply across AWS, to ensure that your user accounts are secured appropriately.

Lambda is fully integrated with IAM, allowing you to control precisely what each Lambda function can do within the AWS Cloud. There are two important policies that define the scope of permissions in Lambda functions. The event source uses a resource policy that grants permission to invoke the Lambda function, whereas the Lambda service uses an execution role to constrain what the function is allowed to do. In many cases, the console configures both of these policies with default settings. As you start to build Lambda-based applications with frameworks such as AWS SAM, you describe both policies in the application’s template.

security ops figure 2

By default, when you create a new Lambda function in the AWS Management Console or using a framework like the AWS Serverless Application Model (AWS SAM), a specific IAM role is created for only that function.

security ops figure 3

This role has permissions to create a CloudWatch log group in the current Region and AWS account, and create log streams and put events to those streams. The policy follows the principle of least privilege by scoping a precise permission to specific resources, AWS services, and accounts.