Lambda Function Permissions - Serverless Architectures with AWS Lambda

Lambda Function Permissions

You can define which push model event sources are allowed to invoke a Lambda function through a concept called permissions. With permissions, you declare a function policy that lists the AWS Resource Names (ARNs) that are allowed to invoke a function.

For pull model event sources (for example, Kinesis streams and DynamoDB streams), you need to ensure that the appropriate actions are permitted by the IAM execution role assigned to your Lambda function. AWS provides a set of managed IAM roles associated with each of the pull-based event sources if you don’t want to manage the permissions required. However, to ensure least privilege IAM policies, you should create your own IAM roles with resource-specific policies to permit access to just the intended event source.