Home > Software engineering >  Lambda Roles and SCPs
Lambda Roles and SCPs

Time:03-31

have a question regarding Lambda and Roles and SCPs.

Lets say that I have a Lambda function doing a certain IAM call, the lambda role has the permission needed for doing it. The Lambda it self is created with a Cloudformation. The Cloudfromation deployment is ran with a tool using the service role for the tool, no service role for the CF. The Lambda Function is triggered by a Custom Resource in the same CF.

Tool(with role) -> CF(No service role) -> CR -> Lambda -> IAM call

Now add a SCP with a Deny for the IAM call. What principal needs to have condition in the SCP to not be affected by the SCP?

CodePudding user response:

The role you use for the lambda is the principal that needs an exception in the SCP. Ultimately, it is the principal that is running the lambda that is making the IAM call, so that is what will need the condition.

  • Related