Skip to main content
Securing AWS Lambda functions involves two distinct permission models that control how functions are invoked and what AWS services they can access. Understanding these models is essential for both security and functionality.
Permission TypeEvent SourceManaged ByPurpose
Invocation PermissionPush (e.g., SNS)IAM Resource PolicyAllow an external service or account to invoke your function
Execution RolePull or AWS actionsIAM Role (AssumeRole)Grant your function permissions to use other AWS services
The image illustrates access permissions for AWS Lambda, showing invocation permissions and execution roles for Lambda functions interacting with other AWS services.

Invocation Permissions

Invocation permissions are required only when a push event source directly triggers your Lambda function (for example, Amazon SNS, Amazon API Gateway, or CloudWatch Events). You grant these permissions by attaching an IAM resource policy to your function.
When you configure a push-based event source in the AWS Management Console, AWS Lambda automatically creates the necessary invocation policy.
To add invocation permission via the CLI: 
aws lambda add-permission \
  --function-name my-function \
  --statement-id AllowSNSInvoke \
  --action lambda:InvokeFunction \
  --principal sns.amazonaws.com \
  --source-arn arn:aws:sns:us-east-1:123456789012:my-topic
For more details, see AWS Lambda AddPermission.

Execution Role

The execution role is an IAM role that your Lambda function assumes when it runs. It must include:
  1. Permissions policy: Defines the AWS service actions your function can perform.
  2. Trust policy: Specifies that the Lambda service (lambda.amazonaws.com) is allowed to assume the role.
Avoid overly broad permissions (e.g., Action": "*") in your execution role. Grant only the minimum privileges your function requires.

Example Permissions Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowS3PutFromSpecificSource",
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::lambda_bucket/*",
      "Condition": {
        "ArnEquals": {
          "lambda:SourceFunctionArn": "arn:aws:lambda:us-east-1:123456789012:function:source_lambda"
        }
      }
    }
  ]
}
  • Action: s3:PutObject grants write access to the specified S3 bucket.
  • Condition: Restricts this permission to invocations originating from a particular Lambda function.

Example Trust Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
  • Principal: Specifies lambda.amazonaws.com as the trusted entity.
  • Action: sts:AssumeRole allows Lambda to assume this role at runtime.
After defining both policies, attach the execution role to your Lambda function via the console or CLI: 
aws lambda create-function \
  --function-name my-function \
  --runtime python3.9 \
  --role arn:aws:iam::123456789012:role/my-execution-role \
  --handler handler.lambda_handler \
  --zip-file fileb://function.zip

References

Watch Video