1
votes

Policy definition of AWS managed policy(AWSLambdaExecute) is:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [ "logs:*" ],
      "Resource": "arn:aws:logs:*:*:*"
    },
    {
      "Effect": "Allow",
      "Action": [ "s3:GetObject", "s3:PutObject" ],
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

But the AWS_documentation gives a sample serverless function using the same policy name AWSLambdaExecute, as shown below:

Type: AWS::Serverless::Function
  Properties:
    Handler: index.js
    Runtime: nodejs8.10
    CodeUri: 's3://my-code-bucket/my-function.zip'
    Description: Creates thumbnails of uploaded images
    MemorySize: 1024
    Timeout: 15
    Policies:
     - AWSLambdaExecute # Managed Policy
     - Version: '2012-10-17' # Policy Document
       Statement:
         - Effect: Allow
           Action:
             - s3:GetObject
             - s3:GetObjectACL
           Resource: 'arn:aws:s3:::my-bucket/*'

that does not match with the above definition.

Edit:

Below is the sample function's execution role... I do not see AWS mananged execution role names(such as AWSLambdaBasicExecutionRole). Because my understanding is, AWSLambdaBasicExecutionRole role should be assigned to Lambda, by default

enter image description here


Are we overriding the policy definition of AWSLambdaExecute in this example?

3

3 Answers

2
votes

When you are specifying policies, you are basically building an execution role your lambda function.

Policies is a list of policies because role can include multiple policies in it.

This line

- AWSLambdaExecute # Managed Policy

states that the lambda function that you are creating should include this AWS managed policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [ "logs:*" ],
      "Resource": "arn:aws:logs:*:*:*"
    },
    {
      "Effect": "Allow",
      "Action": [ "s3:GetObject", "s3:PutObject" ],
      "Resource": "arn:aws:s3:::*"
    }
  ]
} 

Following lines:

- Version: '2012-10-17' # Policy Document
       Statement:
         - Effect: Allow
           Action:
             - s3:GetObject
             - s3:GetObjectACL
           Resource: 'arn:aws:s3:::my-bucket/*'

are specifying next policy that you want to include in your lambda execution role.

Are we overriding the policy definition of AWSLambdaExecute in this example?

No, we are adding multiple policies to lambda execution role, one of them is AWS managed policy and one is our own custom policy. So the lambda function will have permissions defined in both of them. Or more precisely, union of those policies will be made and lambda function will have permissions defined by that union, meaning that if one of the policies allows lambda function to do something and the other denies the same thing, the result will be that the action will be denied.

1
votes

I think what your Policies attribute does, is:

  • attaches the managed policy AWSLambdaExecute and then
  • creates an inline policy for your execution role which grants the s3 permissions s3:GetObject and s3:PutObject. There is another SO post which indicates that SAM now supports defining inline policies. [1]

Defining inline policies does not overwrite anything. You can have multiple different types of policies attached to a single identity (e.g. IAM user or role). [2]

References

[1] https://stackoverflow.com/a/52719165/10473469
[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html

0
votes

Here's my preferred approach (omitting other fields for clarity):

 MyLambdaFunction:
    Type: 'AWS::Serverless::Function'
    Properties:
      Policies:
        - CloudWatchLambdaInsightsExecutionRolePolicy # AWS Managed Policy
        - AWSXrayWriteOnlyAccess # AWS Managed Policy
        - AWSLambdaExecute # AWS Managed Policy
        - Version: '2012-10-17' # Policy Document to allow S3 access
          Statement:
            - Effect: Allow
             Action:
               - s3:GetObject
               - s3:GetObjectACL
             Resource: 'arn:aws:s3:::my-bucket/*'