IAM Roles Assume Role Permission

2
votes

Given an IAM role created with this permission:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": "First"
    }
  ]
}

is there anything that tells AWS that only lambda functions in this account should be able to assume the role. I want AWS lambda to be able to assume this role when running functions in this account, but only lambda functions running in this AWS account - not lambda functions running in other random AWS account that happen to discover the ARN of this IAM role.

If it is the case that using this configuration allows any lambda function running in any AWS account to assume this role, then how can this policy be amended to only allow lambda functions running in my account to assume this role.

1
amazon-web-servicesaws-lambdaamazon-iam

1 Answers

1
votes

"Service": "lambda.amazonaws.com" tells that your IAM role can only be assumed by Lambda.

If you want to grant permissions to another account to assume the role, your IAM policy for the role may look like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<AccountNumberThatCanAssumeTheRole>:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}