Description:
A Lambda function's execution role is an AWS Identity and Access Management (IAM) role that grants the function permission to access AWS services and resources. You provide this role when you create a function, and Lambda assumes the role when your function is invoked. You can create an execution role for development that has permission to send logs to Amazon Cloud Watch and to upload trace data to AWS X-Ray.
Rationale:
AWS Lambda integrates with other AWS services to invoke functions. You can configure triggers to invoke a function in response to resource lifecycle events, respond to incoming HTTP requests, consume events from a queue, or run a schedule
Default Value:
The default value of the lambda function is disabled.
Pre-Requisite:
1. Lambda creates an execution role with minimal permissions
2. Create an IAM role for your Lambda function
3. Create a policy that has lambda full access.
Remediation:
Test Plan:
Step 01: Open the Function Page on the Lambda console.
Step 02: Choose a function.
Step 03: Then choose configuration.
Step 04: Click on permisions.
Step 05: Under Resource summary, view the services and resources that the function can access. The following example shows the Cloud Watch Logs permissions that Lambda adds to an execution role when you create it in the Lambda console.
Step 6 :Choose a service from the dropdown list to see permissions related to that service.
Using AWS CLI:
To know which role is attached to it
aws lambda get-function \ --function-name my-function
Implementation Steps:
Step 01: Open the Roles Page in the IAM console.
Step 02: Choose to Create the role.
Step 03: Under Common use cases, choose Lambda and Choose Next: Permissions.
Step 4:Under Attach permissions policies, choose the AWS managed policies AWS Lambda Basic Execution Role
Step 05: Choose Next, and Review.
Step 06: For Role name, enter lambda-role, choose a created role.
Step 07: Log in to the lambda https://us-east-1.console.aws.amazon.com/lambda
Step 08: Click on the functions
Step 09: Click on the lambda function you want to make changes
Step 10: Click on the configuration tab
Step 11: Click on the Permission
Step 12: Click on the Edit
Step 13: In the Existing Role add the role that you created
Step 14: Click on Save
Using AWS CLI:
{ "Version": "2012-10-17",
"Statement": [ { "Effect": "Allow",
"Principal": { "Service": "lambda.amazonaws.com" },
"Action": "sts:AssumeRole" } ] }
To create role
aws iam create-role [--path <value>] --role-name <value> --assume-role-policy-document <value>
Backout Plan:
Step 1: Log in to the lambda https://us-east-1.console.aws.amazon.com/lambda
Step 2: Click on the functions
Step 3: Click on the lambda function you want to make changes
Step 4: Click on the configuration tab
Step 5: Click on the Permission
Step 6: Click on the Edit
Step 7: In the Existing Role add the role that you created
Step 8: Click on Save
Reference:
AWS Lambda execution role - AWS Lambda
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_generate-policy.html