Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
AWS Lambda (service prefix:
lambda
) provides the following service-specific resources, actions, and condition context
keys for use in IAM permission policies.
References:
Learn how to configure this service .
View a list of the API operations available for this service .
Learn how to secure this service and its resources by using IAM permission policies.
You can specify the following actions in the
Action
element of an IAM policy statement. Use policies to grant permissions to perform
an operation in AWS. When you use an action in a policy, you usually allow or
deny access to the API operation or CLI command with the same name. However,
in some cases, a single action controls access to more than one operation. Alternatively,
some operations require several different actions.
The
Resource
column indicates whether each action supports resource-level permissions. If
there is no value for this column, you must specify all resources ("*") in the
Resource
element of your policy statement. If the column includes a resource type, then
you can specify an ARN of that type in a statement with that action. Required
resources are indicated in the table with an asterisk (*). If you specify a resource-level
permission ARN in a statement using this action, then it must be of this type.
Some actions support multiple resource types. If the resource type is optional (not
indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see The Actions Table .
Actions | Description | Access Level | Resource Types (*required) | Condition Keys | Dependent Actions |
---|---|---|---|---|---|
AddLayerVersionPermission | Adds a permission policy to a version of a function layer. | Permissions management | |||
AddPermission | Adds a permission to the resource policy associated with the specified AWS Lambda function. | Permissions management | |||
CreateAlias | Creates an alias that points to the specified Lambda function version. | Write | |||
CreateEventSourceMapping | Identifies a stream as an event source for a Lambda function. | Write | |||
CreateFunction | Creates a new Lambda function. | Write | |||
DeleteAlias | Deletes the specified Lambda function alias. | Write | |||
DeleteEventSourceMapping | Removes an event source mapping. | Write | |||
DeleteFunction | Deletes the specified Lambda function code and configuration. | Write | |||
DeleteFunctionConcurrency | Remove concurrency limit set on a Lambda function. | Write | |||
DeleteLayerVersion | Deletes a version of a function layer. | Write | |||
DisableReplication [permission only] | Removes resource policy permission that allows Lambda replication service to retrieve function code and configuration. | Permissions management | |||
EnableReplication [permission only] | Adds a permission to resource policy that gives Lambda replication service permission to get function code and configuration. | Permissions management | |||
GetAccountSettings | Returns account limits and usage statistics, such as concurrency and code storage. | Read | |||
GetAlias | Returns the specified alias information such as the alias ARN, description, and function version it is pointing to. | Read | |||
GetEventSourceMapping | Returns configuration information for the specified event source mapping. | Read | |||
GetFunction | Returns the configuration information of the Lambda function and a presigned URL link to the .zip file you uploaded with CreateFunction so you can download the .zip file. | Read | |||
GetFunctionConfiguration | Returns the configuration information of the Lambda function. | Read | |||
GetLayerVersion | Returns information about a version of a function layer, with a link to download the layer archive that is valid for 10 minutes. | Read | |||
GetLayerVersionPolicy | Returns the permissions policy for a layer version. | Read | |||
GetPolicy | Returns the resource policy associated with the specified Lambda function. | Read | |||
InvokeAsync | Submits an invocation request to AWS Lambda. Is deprecated | Write | |||
InvokeFunction [permission only] | Invokes a specific Lambda function. | Write | |||
ListAliases | Returns list of aliases created for a Lambda function. | List | |||
ListEventSourceMappings | Returns a list of event source mappings you created using the CreateEventSourceMapping. | List | |||
ListFunctions | Returns a list of your Lambda functions. | List | |||
ListLayerVersions | Returns a list of your Lambda layer versions. | List | |||
ListLayers | Lists function layers and shows information about the latest version of each. | List | |||
ListTags | Lists tags for a Lambda function. | Read | |||
ListVersionsByFunction | List all versions of a function. | List | |||
PublishLayerVersion | Creates a function layer from a ZIP archive. Each time you call PublishLayerVersion with the same version name, a new version is created. | Write | |||
PublishVersion | Publishes a version of your function from the current snapshot of $LATEST. | Write | |||
PutFunctionConcurrency | Adds concurrency limit to a Lambda function. | Write | |||
RemoveLayerVersionPermission | Removes a statement from the permissions policy for a layer version. | Permissions management | |||
RemovePermission | You can remove individual permissions from an resource policy associated with a Lambda function by providing a statement ID that you provided when you added the permission. | Permissions management | |||
TagResource | Adds tags to a Lambda function. | Write | |||
UntagResource | Removes tags from a Lambda function. | Write | |||
UpdateAlias | Using this API you can update the function version to which the alias points and the alias description. | Write | |||
UpdateEventSourceMapping | You can update an event source mapping. | Write | |||
UpdateFunctionCode | Updates the code for the specified Lambda function. | Write | |||
UpdateFunctionConfiguration | Updates the configuration parameters for the specified Lambda function by using the values provided in the request. | Write | |||
The following resource types are defined by this service and can be used in the
Resource
element of IAM permission policy statements. Each action in the
Actions table
identifies the resource types that can be specified with that action. A resource
type can also define which condition keys you can include in a policy. These
keys are displayed in the last column of the table. For details about the columns
in the following table, see
The Resource Types Table
.
Resource Types | ARN | Condition Keys |
---|---|---|
function |
arn:$
{
Partition}:lambda:$
{
Region}:$
{
Account}:function:$
{
FunctionName}
|
|
layer |
arn:$
{
Partition}:lambda:$
{
Region}:$
{
Account}:layer:$
{
LayerName}
|
|
layerVersion |
arn:$
{
Partition}:lambda:$
{
Region}:$
{
Account}:layer:$
{
LayerName}:$
{
LayerVersion}
|
|
eventSourceMapping |
arn:$
{
Partition}:lambda:$
{
Region}:$
{
Account}:event-source-mapping:$
{
UUID}
|
AWS Lambda defines the following condition keys that can be used in the
Condition
element of an IAM policy. You can use these keys to further refine the conditions
under which the policy statement applies. For details about the columns in the
following table, see
The Condition Keys Table
.
To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference .
Condition Keys | Description | Type |
---|---|---|
lambda:FunctionArn | The ARN of a lambda function. | ARN |
lambda:Layer | The ARN of a lambda layer. | String |
lambda:Principal | The AWS principal. | String |