IAM Role - Serverless Architectures with AWS Lambda

IAM Role

AWS Identity and Access Management (IAM) provides the capability to create IAM policies that define permissions for interacting with AWS services and APIs. Policies can be associated with IAM roles. Any access key ID and secret access key generated for a particular role is authorized to perform the actions defined in the policies attached to that role. For more information about IAM best practices, see this documentation.

In the context of Lambda, you assign an IAM role (called an execution role) to each of your Lambda functions. The IAM policies attached to that role define what AWS service APIs your function code is authorized to interact with. There are two benefits:

  • Your source code isn’t required to perform any AWS credential management or rotation to interact with the AWS APIs. Simply using the AWS SDKs and the default credential provider results in your Lambda function automatically using temporary credentials associated with the execution role assigned to the function.

  • Your source code is decoupled from its own security posture. If a developer attempts to change your Lambda function code to integrate with a service that the function doesn’t have access to, that integration will fail due to the IAM role assigned to your function. (Unless they have used IAM credentials that are separate from the execution role, you should use static code analysis tools to ensure that no AWS credentials are present in your source code).

It’s important to assign each of your Lambda functions a specific, separate, and least-privilege IAM role. This strategy ensures that each Lambda function can evolve independently without increasing the authorization scope of any other Lambda functions.