Can I limit an assume rule policy to a specific lambda, instead of lambda's in general?

0
votes

I'm trying to get into the whole IAM setup. I have a role that I want a lambda to be able to assume. So, I have my Trust Relationship policy setup like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Now, as far as I understand, this would allow any lambda to assume this role.
Can I narrow this in a bit more, so it's only one specific lambda, that is allowed to assume it?

I've tried to replace "Service": "lambda.amazonaws.com" with the arn of the lambda, but it didn't really work out for me :/

1
amazon-web-servicesaws-lambdaamazon-iam
I'm not sure AWS allows Resource level permission for this, but the way to go about this would be to add "Resource": <Lambda ARN> under ActionNinad Gaikwad

1 Answers

1
votes

I think that it's actually the other way around...

When creating the Lambda function, you can specify the role for it to use. The ability to allow a function to use a Role requires the iam:PassRole permission. Anyone with this permission can configure a Lambda function to use a specific (or any) IAM Role.

Here's a sample policy from Granting a User Permissions to Pass a Role to an AWS Service - AWS Identity and Access Management that grants an IAM User the ability to pass a role:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "iam:GetRole",
            "iam:PassRole"
        ],
        "Resource": "arn:aws:iam::<account-id>:role/EC2-roles-for-XYZ-*"
    }]
}

iam:PassRole is a very important permission because it controls who can pass a role to a service. Used incorrectly, users might gain too much permission. For example, let's say that there is an Admin Role that has lots of permissions. Anyone who is granted permission to use PassRole could create a resource (eg Amazon EC2 instance or AWS Lambda function) that uses this role, thereby giving them Admin capabilities. For this reason, the ability to use PassRole should be strictly controlled.

Therefore, rather than the role trusting a Lambda function, you actually need a user with PassRole to assign the role to the function.