Quick IAM tip for AWS Lambda

Create a single IAM role for each AWS Lambda.

Do not try to create one role for everything or even 1 role for multiple Lambdas. That way you don’t have to give permissions to a function that it shouldn’t have.

Not giving a Lambda function permissions means that it can’t do things like accidentally delete something.

It does mean that you have to deploy permissions with each function, and that’s not perfect, but it’s not too onerous either.

As an aside, when you have an EC2 Instance that is your whole application, you have to give all the permissions it needs, which may be multiple parts of the AWS ecosystem (RDS, S3, Lambda, DynamoDB etc).

When you have multiple permissions, you open up potential problems with data.

You also open up potential problems for your developers. Any developer can take advantage of any permission.

So, keep it simple:

One IAM role for each AWS Lambda function

Easy!

Written by

ServerlessDays CoFounder (Jeff), ex AWS Serverless Snr DA, experienced CTO/Interim, Startups, Entrepreneur, Techie, Geek and Christian

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store