I have registered a free tier AWS Lambda account and created a simple, public service for me and others to play around with. However, since I do not know yet how usage is going to be, I want to be careful for now. Otherwise someone could simply flood my service with one million requests and I get billed for it. I'd rather not have the service available.
Therefore, I want to create a budget action that shuts down all services as soon as $0.01 is exceeded. The way I've done this is that I've granted the Lambda service role (which was auto-created when I setup the lambda service) the budget permission (budgets.amazonaws.com) and then have an IAM action setup that adds the AWSDenyAll
managed policy to the role itself once the budget is exceeded.
This does not seem to work. If I manually attach the AWSDenyAll
policy, the Lambda service still is available. My understanding of the roles/policies system may be also fundamentally wrong.
How can I achieve a "total shutdown" action that can be triggered from a budget alert?
CodePudding user response:
You're applying the AWSDenyAll
policy to the execution role of the Lambda function, which is used to define permissions to access AWS resources from the Lambda itself (Configuration > Permissions > Execution role).
You essentially have blocked the Lambda function itself from accessing AWS services.
You haven't blocked any IAM principals (users or roles), AWS services (including API Gateway) or other AWS accounts which is why your Lambda can still be invoked manually or via the gateway.
Now, a question that may now arise is "how can I prevent the API Gateway from invoking my Lambda?".
The way that API Gateway is given access to trigger your Lambda is via resource-based permissions policies (Configuration > Permissions > Resource-based policy).
This is not "encapsulated" within an IAM entity (user or role) and currently, you can only update resource-based policies for Lambda resources within the scope of the AddPermission and AddLayerVersionPermission API actions.
This means that the only way to revoke API Gateway's access to invoking your function would be to delete the resource policy allowing API Gateway to invoke your function using the RemovePermission
API action or via the console.
There would be no way to do this via budget actions.
The other question that can arise is "how can I prevent API Gateway and the Lambda function from being invoked then?".
This still wouldn't be possible using Budget Actions as per docs, you can only apply an IAM policy or a service control policy (SCP) none of which will help you to prevent triggering of a Lambda which is triggered via the API Gateway. You can prevent the Lambda from being triggered by AWS users within the console but you can't prevent the API Gateway unless you are using IAM to authenticate your users.
There isn't any way to "shutdown" Lambda functions or the API Gateway once you hit a specific budget limit.
You will just have to create a budget to alert you, filter on the service dimension to the Lambda and API Gateway services for example, and then take manual action (setting a monthly usage budget with a fixed usage amount and actual/forecasted notifications).