Could not get the syntax of policy definition in SAM template resource(serverless function)

Question

Policy definition of AWS managed policy(AWSLambdaExecute) is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [ "logs:*" ],
      "Resource": "arn:aws:logs:*:*:*"
    },
    {
      "Effect": "Allow",
      "Action": [ "s3:GetObject", "s3:PutObject" ],
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

But the AWS_documentation gives a sample serverless function using the same policy name AWSLambdaExecute, as shown below:

Type: AWS::Serverless::Function
  Properties:
    Handler: index.js
    Runtime: nodejs8.10
    CodeUri: 's3://my-code-bucket/my-function.zip'
    Description: Creates thumbnails of uploaded images
    MemorySize: 1024
    Timeout: 15
    Policies:
     - AWSLambdaExecute # Managed Policy
     - Version: '2012-10-17' # Policy Document
       Statement:
         - Effect: Allow
           Action:
             - s3:GetObject
             - s3:GetObjectACL
           Resource: 'arn:aws:s3:::my-bucket/*'

that does not match with the above definition.

Edit:

Below is the sample function's execution role... I do not see AWS mananged execution role names(such as AWSLambdaBasicExecutionRole). Because my understanding is, AWSLambdaBasicExecutionRole role should be assigned to Lambda, by default

Are we overriding the policy definition of AWSLambdaExecute in this example?

Matus Dubrava Matus Dubrava · Accepted Answer · 2019-07-14T16:33:06

When you are specifying policies, you are basically building an execution role your lambda function.

Policies is a list of policies because role can include multiple policies in it.

This line

- AWSLambdaExecute # Managed Policy

states that the lambda function that you are creating should include this AWS managed policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [ "logs:*" ],
      "Resource": "arn:aws:logs:*:*:*"
    },
    {
      "Effect": "Allow",
      "Action": [ "s3:GetObject", "s3:PutObject" ],
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

Following lines:

- Version: '2012-10-17' # Policy Document
       Statement:
         - Effect: Allow
           Action:
             - s3:GetObject
             - s3:GetObjectACL
           Resource: 'arn:aws:s3:::my-bucket/*'

are specifying next policy that you want to include in your lambda execution role.

Are we overriding the policy definition of AWSLambdaExecute in this example?

No, we are adding multiple policies to lambda execution role, one of them is AWS managed policy and one is our own custom policy. So the lambda function will have permissions defined in both of them. Or more precisely, union of those policies will be made and lambda function will have permissions defined by that union, meaning that if one of the policies allows lambda function to do something and the other denies the same thing, the result will be that the action will be denied.

Could not get the syntax of policy definition in SAM template resource(serverless function)

3 Answers

References