Skip to content

Latest commit

 

History

History
73 lines (55 loc) · 2.61 KB

README.md

File metadata and controls

73 lines (55 loc) · 2.61 KB

Lambda

Execution Role (IAM Role)

  • Grants the Lambda function permissions to AWS services / resources
  • Sample managed policies for Lambda:
    • AWSLambdaBasicExecutionRole – Upload logs to CloudWatch.
    • AWSLambdaKinesisExecutionRole – Read from Kinesis
    • AWSLambdaDynamoDBExecutionRole – Read from DynamoDB Streams
    • AWSLambdaSQSQueueExecutionRole – Read from SQS
    • AWSLambdaVPCAccessExecutionRole – Deploy Lambda function in VPC
    • AWSXRayDaemonWriteAccess – Upload trace data to X-Ray.
  • When you use an event source mapping to invoke your function, Lambda uses the execution role to read event data.
  • Best practice: create one Lambda Execution Role per function

Lambda Resource Based Policies

  • Use resource-based policies to give other accounts and AWS services permission to use your Lambda resources
  • Similar to S3 bucket policies for S3 bucket
  • An IAM principal can access Lambda:
    • if the IAM policy attached to the principal authorizes it (e.g. user access)
    • OR if the resource-based policy authorizes (e.g. service access)
  • When an AWS service like Amazon S3 calls your Lambda function, the resource-based policy gives it access.

Lambda Permissions to Write to CW Logs

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs: CreateLogGroup",
        "logs: CreateLogStream",
        "logs:PutLogEvents",
        "logs: DescribeLogStreams"
      ],
      "Resource": ["arn:aws: logs:*:*:*"]
    }
  ]
}

Lambda Permissions, CW logs

Lambda by default

  • By default, your Lambda function is launched outside your own VPC (in an AWS-owned VPC)
  • Therefore it cannot access resources in your VPC (RDS, ElastiCache, internal ELB…)

Lambda By Default

Lambda in VPC

  • You must define the VPC ID, the Subnets and the Security Groups
  • Lambda will create an ENI (Elastic Network Interface) in each your subnets
  • AWSLambdaVPCAccessExecutionRole
  • Network Interface (ENI) will create a Security Group (SG) for every AZ of the subnet in the VPC

Lambda VPC

Internet Access

  • A Lambda function in your VPC does not have internet access
  • Deploying a Lambda function in a public subnet does not give it internet access or a public IP
  • Deploying a Lambda function in a private subnet gives it internet access if you have a NAT Gateway / Instance
  • You can use VPC endpoints to privately access AWS services without a NAT

Lambda VPC Interenet Access

Note: Lambda - CloudWatch Logs works even without endpoint or NAT Gateway