Why add-event-source attach a new inline policy

1
votes

I'm using the AWS CDK to build the infrastructure in Python.

Step1 ~ Step4 are in the same stack.

Step 1: Create the role lambda_role with AWS managed policy AmazonDynamoDBFullAccess for lambda.

lambda_role = aws_iam.Role(self, "lambda_role", 
       assumed_by=aws_iam.ServicePrincipal("lambda.amazonaws.com"),
       role_name="lambda_role")

policy = "AmazonDynamoDBFullAccess"

lambda_role.add_managed_policy(aws_iam.ManagedPolicy.from_aws_managed_policy_name(policy))

Step 2: Create a table my_table and enable streams

stream_view_type = aws_dynamodb.StreamViewType.NEW_AND_OLD_IMAGES

my_table = aws_dynamodb.Table(self, id=tableName,
            table_name=tableName,
            partition_key=partition_key,
            stream=stream_view_type,
        )

Step 3: Create lambda my_lambda with lambda_role

my_lambda = aws_lambda.Function(self, "my_lambda"
             role=lambda_role)

Step 4: Set the table(my_table) as the trigger for lambda(my_lambda).

my_lambda.add_event_sources(
    aws_lambda_event_sources.DynamoEventSource(
         starting_position=aws_lambda.StartingPosition.LATEST,
         table=my_table,
         batch_size=table_setting["batch_size"],
         retry_attempts=table_setting["retry_attempts"],
    )
)

My Question:

  1. Why Step 4 automatically create and attach the inline-policy to lambda_role? The scope of AmazonDynamoDBFullAccess which is created in step 1 overlaps the new created policy.
  2. How to share the policy AmazonDynamoDBFullAccess instead of creating a new policy for each event_sources?

inline policy attached to lambda_role:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "dynamodb:ListStreams",
            "Resource": "arn:aws:dynamodb:?:?:table/my_table/stream/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "dynamodb:DescribeStream",
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator"
            ],
            "Resource": "arn:aws:dynamodb:?:?:table/my_table/stream/2020-07-22T03:35:56.757",
            "Effect": "Allow"
        }
    ]
}

Snippet of AmazonDynamoDBFullAccess attached to lambda_role:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:*", ...
            ],
            "Effect": "Allow",
            "Resource": "*"
        }, ...
    ]
}
1
aws-lambdaamazon-iamaws-cdk

1 Answers

0
votes

You can stop the redundant policy additions from add_event_source by preventing additional policy updates on your custom lambda execution role after it is created using the Role method: without_policy_updates.

To do it this way, you will also have to manually add whatever policies would have been automatically added during the lambda function initialization, since the lambda initialization won't be able to auto-update the role either. For a simple Lambda function, this would probably only be AWSLambdaBasicExecutionRole and AWSLambdaVPCAccessExecutionRole.

lambda_role = aws_iam.Role(self, "lambda_role", 
    assumed_by=aws_iam.ServicePrincipal("lambda.amazonaws.com"),
    role_name="lambda_role",
    managed_policies=[
        aws_iam.ManagedPolicy.from_aws_managed_policy_name(
            "service-role/AWSLambdaBasicExecutionRole"
        ),
        aws_iam.ManagedPolicy.from_aws_managed_policy_name(
            "service-role/AWSLambdaVPCAccessExecutionRole"
        ),
        aws_iam.ManagedPolicy.
        from_aws_managed_policy_name("AmazonDynamoDBFullAccess")
    ]
)

lambda_role = lambda_role.without_policy_updates()
my_lambda = aws_lambda.Function(self, "my_lambda"
         role=lambda_role)