Lambda functions and layers - Security Overview of AWS Lambda

Lambda functions and layers

With Lambda, you can run code virtually with zero administration of the underlying infrastructure. You are responsible only for the code that you provide Lambda, and the configuration of how Lambda runs that code on your behalf. Today, Lambda supports two types of code resources: functions and layers.

A function is a resource which can be invoked to run your code in Lambda. A function can include a common or shared resource called Layers. Layers can be used to share common code or data across different functions or AWS accounts. You are responsible for the management of all the code contained within your functions or layers. When Lambda receives the function or layer code from a customer, Lambda protects access to it by encrypting it at rest using AWS KMS, and in-transit by using TLS 1.2+.

You can manage access to your functions and layers through AWS Lambda policies, or through resource-based permissions. For a full list of supported IAM features, refer to AWS services that work with IAM. The attribute-based access control (ABAC) in Lambda lets you control access to your function using tags attached to Lambda functions. Refer to attribute-based access control for Lambda for more information.

You can also control the entire lifecycle of your functions and layers through Lambda's control plane APIs. For example, you can choose to delete your function by calling DeleteFunction, or revoke permissions from another account by calling RemovePermission.