AWS Lambda Permission Model

Correct Answer: Assume an IAM role with the required permissions within the Lambda function

To grant temporary access to another service from a Lambda function, assume an IAM role with the required permissions within the Lambda function. This allows for secure and temporary access to the necessary resources without embedding access keys or exposing resources directly.

Correct Answer: Attach an IAM role to the Lambda function

When granting permissions to a Lambda function, the best practice is to attach an IAM role to it. This method allows the function to automatically assume the permissions defined in the role without embedding any access keys in the code or creating separate users for each data source.

Correct Answer: Attach the AWSLambdaBasicExecutionRole managed policy and an inline policy that allows s3:PutObject to the specific S3 bucket; no SQS permissions are required in the function’s execution role when using an SQS event source mapping.

When an Amazon SQS queue is configured as an event source for AWS Lambda, the Lambda service polls the queue and handles message retrieval and deletion on your behalf. Therefore, the function’s execution role does not need SQS permissions. The execution role is used by the function code when calling other AWS services; in this scenario it must be able to write objects to the target S3 bucket. Following least privilege, grant s3:PutObject only (scoped to the specific bucket and prefix as appropriate) and include the AWSLambdaBasicExecutionRole managed policy so the function can write logs to CloudWatch. Granting SQS permissions or broad S3 permissions (such as S3FullAccess) is unnecessary and over-privileged.