Permissions and policies

edit

A Lambda function’s execution role is an AWS Identity and Access Management (IAM) role that grants the function permission to access AWS services and resources. This role is automatically created when the function is deployed and Lambda assumes this role when the function is invoked.

When you provide the ARNs of AWS resources the forwarder will interact with, the Cloudformation template will create the correct IAM role with the appropriate IAM policies.

You can view the execution role associated with your Lambda function from the Configuration > Permissions section within . By default this role starts with the name serverlessrepo-. When the role is created, a custom policy is added to grant Lambda minimum permissions to be able to use the configured SQS queue, S3 buckets, Kinesis data stream, CloudWatch Logs log groups, Secrets manager (if using), and SQS replay queue.

The forwarder is granted the following ManagedPolicyArns permissions, which are automatically added by default to the Events configuration (if relevant):

arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
arn:aws:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole
arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole

In addition to these basic permissions, the following permissions are added when the function is created by the Cloudformation template of the function:

  • For SQS queue resources specified in the SQS_CONTINUE_URL and SQS_REPLAY_URL environment variables, the following action is allowed: sqs:SendMessage
  • For S3 bucket resources specified in the S3_CONFIG_FILE environment variable, the following action is allowed on the S3 buckets' config file object key: s3:GetObject
  • For every S3 bucket resource sending notifications to SQS queues, the following action is allowed on the S3 buckets: s3:ListBucket
  • For every S3 bucket resource sending notifications to SQS queues, the following action is allowed on the S3 buckets' keys: s3:GetObject
  • For every Secret Manager secret that you want to refer in the config.yaml file, the following action is allowed: secretsmanager:GetSecretValue
  • Excepting the default key used to encrypt your Secret Manager secrets with, the following action is allowed for every decrypt key: kms:Decrypt
  • If any CloudWatch Logs log groups are set as Lambda inputs, the following actions are allowed for the resource:

    • arn:aws:logs:%AWS_REGION%:%AWS_ACCOUNT_ID%:log-group:*:*
    • logs:DescribeLogGroups