8

Foreword: I'm not asking for configuration help. My use case is covered and working fine. This is a theoretical question.

On AWS there is a policy called AWSLambdaExecute which is defined as follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [ "logs:*" ],
      "Resource": "arn:aws:logs:*:*:*"
    },
    {
      "Effect": "Allow",
      "Action": [ "s3:GetObject", "s3:PutObject" ],
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

This definition says to me:

  • Full access to all logs
  • Can download / upload to S3.

What is the reasoning behind this? Why are they talking about S3? (My particular lambda invocation has nothing to do with S3.) Do we know about any detailed documentation on predefined policies other than the one-liner descriptions of each?

null
  • 268
  • 3
  • 5
Notinlist
  • 217
  • 2
  • 10

1 Answers1

6

If your function has nothing to do with S3 then don't use this managed policy. As far as I can see this policy is used in the documentation in combination with a tutorial on how to use Lambda with Amazon S3.

Source: https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example-create-iam-role.html

If you want to use a managed policy I recommend using AWSLambdaBasicExecutionRole which appear to contains only the minimum:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "*"
    }
  ]
}
null
  • 268
  • 3
  • 5