Description

A Lambda function's execution role is an AWS Identity and Access Management (IAM) role that grants the function permission to access AWS services and resources. You provide this role when you create a function, and Lambda assumes the role when your function is invoked. You can create an execution role for development that has permission to send logs to Amazon Cloud Watch and to upload trace data to AWS X-Ray.

Rationale:

AWS Lambda integrates with other AWS services to invoke functions. You can configure triggers to invoke a function in response to resource lifecycle events, respond to incoming HTTP requests, consume events from a queue, or  run a schedule

Default Value:

The default value of the lambda function is disabled.

Pre-Requisite:

 1. Lambda creates an execution role with minimal permissions

 2. Create an IAM role for your Lambda function

3. Create a policy that has lambda full access. 

Remediation:

Test Plan:

Step 01: Open the Function Page on the Lambda console.

Step 02: Choose a function.

Step 03: Then choose configuration.

Step 04: Click on permisions.

Step 05: Under Resource summary, view the services and resources that the function can access. The following example shows the Cloud Watch Logs permissions that Lambda adds to an execution role when you create it in the Lambda console. 

Step 6 :Choose a service from the dropdown list to see permissions related to that service.

Using AWS CLI:

To know which role is attached to it 

aws lambda get-function \
    --function-name  my-function

Implementation Steps:  

Step 01: Open the Roles Page in the IAM console.

Step 02: Choose to Create the role.

Step 03: Under Common use cases, choose Lambda and Choose Next: Permissions.

Step 4:Under Attach permissions policies, choose the AWS managed policies AWS Lambda Basic Execution Role 

Step 05: Choose Next, and Review.

Step 06: For Role name, enter lambda-role, choose a created role.

Step 07:  Log in to the lambda https://us-east-1.console.aws.amazon.com/lambda 

Step 08: Click on the functions 

Step 09: Click on the lambda function you want to make changes 

Step 10: Click on the configuration tab 

Step 11: Click on the Permission 

Step 12: Click on the Edit 

Step 13: In the Existing Role add the role that you created 

Step 14: Click on Save 

Using AWS CLI: 

{ "Version": "2012-10-17", 

"Statement": [ { "Effect": "Allow", 

"Principal": { "Service": "lambda.amazonaws.com" },

 "Action": "sts:AssumeRole" } ] }

To create role 

aws iam create-role
[--path <value>]
--role-name <value>
--assume-role-policy-document <value>

Backout Plan:

Step 1: Log in to the lambda https://us-east-1.console.aws.amazon.com/lambda

Step 2: Click on the functions

Step 3: Click on the lambda function you want to make changes

Step 4: Click on the configuration tab

Step 5: Click on the Permission

Step 6: Click on the Edit

Step 7: In the Existing Role add the role that you created

Step 8: Click on Save

Reference:

AWS Lambda execution role - AWS Lambda 

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_generate-policy.html

https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html#permissions-executionrole-features

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console