How can a policy be assigned to AWS resource?

1
votes

Below is my understanding on assigning policy:

enter image description here

AWS policy can be assigned to user, group, role but not to AWS resource.

In aws policy definition, Principal entry has value as user, group or role but not AWS resource(like EC2, serverless lambda etc...)

Policy can be assigned to a resource via a role

We are creating lambda resource(AWS) using SAM template, as shown below:

Resources:
  MyFunction:
    Type: 'AWS::Serverless::Function'
    Properties:
      CodeUri: src/
      Handler: index.handler
      Runtime: nodejs4.3
      Policies:

        - SQSPollerPolicy:
            QueueName: name

        - LambdaInvokePolicy:
            FunctionName: name

but I see Policies property as part of the resource definition

How can a policy be assigned to a AWS resource(lambda)?

2
amazon-web-servicesaws-lambdaamazon-iamaws-serverlessaws-sam
Because it is resource level policy, not identity based policy that is shown in your picture.Matus Dubrava
Any resource based policy will have Principal entity mentioned... SQSPollerPolicy does not have Principal entity mentionedoverexchange
@MatusDubrava and as per this documentation, one cannot assign resource based policy...overexchange
Of course, Lambda doesn't support resource based policy, I have completely misread the question. Sorry, my bad.Matus Dubrava
@MatusDubrava related question stackoverflow.com/q/57049666/3317808overexchange

2 Answers

2
votes

In aws policy definition, Principal entry has value as user, group or role but not AWS resource(like EC2, serverless lambda etc...)

Edit:

I am not sure whether we talk about the same entity in the AWS JSON Policy language here. A policy can be either of type (a) identity-based policy, (b) trust policy or (c) resource-based policy. [2]

The docs state that "you cannot use the Principal element in an IAM identity-based policy". [2] Lambda typically uses the other two types of policies: trust policy for the execution role and resource-based policy for cross-account access and access from other AWS services. [6]
However, there is also the option to use identity-based policies with Lambda. [7]
In this case, you do not specify a Principal, since "the principal is implicitly the user that the policy is attached to" [2].

Example:

In the AWS IAM concept, the Principal of a role can also be an AWS service - they are so called service-roles [1]. [2]
To set Lambda as principal, you set the following as AssumeRolePolicyDocument (trust policy):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

There is a step-by-step example as an AWS security blog post which shows how to create an execution role for a lambda function manually. [3]

How can a policy be assigned to a AWS resource(lambda)?

The policy is assigned to the Lambda's execution role. The function then assumes the role during runtime and is granted permission based on all policies which are assigned to the execution role. [4]

but I see Policies property as part of the resource definition

SAM is able to create the lambda's execution role for you and assign policies to it automatically. The SAM developers provide so called AWS SAM Policy Templates [5] which you can reference in your SAM template. By using these policy templates, you instruct SAM to create the policy for you and attach it to the execution role automatically.

References

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role
[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html (section "AWS service")
[3] https://aws.amazon.com/de/blogs/security/how-to-create-an-aws-iam-policy-to-grant-aws-lambda-access-to-an-amazon-dynamodb-table/
[4] https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html
[5] https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html
[6] https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html
[7] https://docs.aws.amazon.com/lambda/latest/dg/access-control-identity-based.html

1
votes

When you define a Serverless Function, SAM automatically creates the IAM Role required to run the function. Let's say your function needs to access couple of DynamoDB tables, you need to give your function explicit permissions to access the tables. You can do this by adding AWS Managed Policies to Serverless Function resource definition in your SAM template.

Reference:

https://github.com/awslabs/serverless-application-model/blob/master/docs/policy_templates.rst