{
	"id": "ffe8ba56-cf25-48d5-bb76-acb690a5f789",
	"created_at": "2026-04-06T00:15:45.653267Z",
	"updated_at": "2026-04-10T03:21:46.987631Z",
	"deleted_at": null,
	"sha1_hash": "2916dde8ff5249996c14ff7c6d140d0827f26174",
	"title": "Defining Lambda function permissions with an execution role",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66984,
	"plain_text": "Defining Lambda function permissions with an execution role\r\nArchived: 2026-04-05 15:48:42 UTC\r\nA Lambda function's execution role is an AWS Identity and Access Management (IAM) role that grants the\r\nfunction permission to access AWS services and resources. For example, you might create an execution role that\r\nhas permission to send logs to Amazon CloudWatch and upload trace data to AWS X-Ray. This page provides\r\ninformation on how to create, view, and manage a Lambda function's execution role.\r\nLambda automatically assumes your execution role when you invoke your function. You should avoid manually\r\ncalling sts:AssumeRole to assume the execution role in your function code. If your use case requires that the role\r\nassumes itself, you must include the role itself as a trusted principal in your role's trust policy. For more\r\ninformation on how to modify a role trust policy, see Modifying a role trust policy (console) in the IAM User\r\nGuide.\r\nIn order for Lambda to properly assume your execution role, the role's trust policy must specify the Lambda\r\nservice principal ( lambda.amazonaws.com ) as a trusted service.\r\nTopics\r\nCreating an execution role in the IAM console\r\nCreating and managing roles with the AWS CLI\r\nGrant least privilege access to your Lambda execution role\r\nViewing and updating permissions in the execution role\r\nWorking with AWS managed policies in the execution role\r\nUsing source function ARN to control function access behavior\r\nCreating an execution role in the IAM console\r\nBy default, Lambda creates an execution role with minimal permissions when you create a function in the Lambda\r\nconsole. Specifically, this execution role includes the AWSLambdaBasicExecutionRole managed policy, which\r\ngives your function basic permissions to log events to Amazon CloudWatch Logs. You can select Create default\r\nrole in the Permissions section.\r\nYou can choose an existing role by selecting Use another role in the Permissions section. If your Lambda\r\nfunction needs additional permissions to perform tasks such as updating entries in an Amazon DynamoDB\r\ndatabase in response to events, you can create a custom execution role with the necessary permissions. To do this,\r\nselect Use another role in the Permissions section, which opens a drawer where you can customize your\r\npermissions.\r\nhttps://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html\r\nPage 1 of 3\n\nTo configure an execution role from Console\r\n1. Enter a role name in the Role details section.\r\n2. In the Policy section, select Use existing policy.\r\n3. Select the AWS managed policies that you want to attach to your role. For example, if your function needs\r\nto access DynamoDB, select the AWSLambdaDynamoDBExecutionRole managed policy.\r\n4. Choose Create role.\r\nAlternatively, when you create a function in the Lambda console, you can attach any execution role that you\r\npreviously created to the function. If you want to attach a new execution role to an existing function, follow the\r\nsteps in Updating a function's execution role.\r\nCreating and managing roles with the AWS CLI\r\nTo create an execution role with the AWS Command Line Interface (AWS CLI), use the create-role command.\r\nWhen using this command, you can specify the trust policy inline. A role's trust policy gives the specified\r\nprincipals permission to assume the role. In the following example, you grant the Lambda service principal\r\npermission to assume your role. Note that requirements for escaping quotes in the JSON string may vary\r\ndepending on your shell.\r\naws iam create-role \\\r\n --role-name lambda-ex \\\r\n --assume-role-policy-document '{\"Version\": \"2012-10-17\",\"Statement\": [{ \"Effect\": \"Allow\", \"Principal\": {\"Service\": \"lambd\r\nYou can also define the trust policy for the role using a separate JSON file. In the following example, trust-policy.json is a file in the current directory.\r\nExample trust-policy.json\r\n{\r\n \"Version\":\"2012-10-17\",\r\n \"Statement\": [\r\n {\r\n \"Effect\": \"Allow\",\r\n \"Principal\": {\r\n \"Service\": \"lambda.amazonaws.com\"\r\n },\r\n \"Action\": \"sts:AssumeRole\"\r\n }\r\n ]\r\n}\r\nhttps://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html\r\nPage 2 of 3\n\naws iam create-role \\\r\n --role-name lambda-ex \\\r\n --assume-role-policy-document file://trust-policy.json\r\nTo add permissions to the role, use the attach-policy-to-role command. The following command adds the\r\nAWSLambdaBasicExecutionRole managed policy to the lambda-ex execution role.\r\naws iam attach-role-policy --role-name lambda-ex --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecution\r\nAfter you create your execution role, attach it to your function. When you create a function in the Lambda\r\nconsole, you can attach any execution role that you previously created to the function. If you want to attach a new\r\nexecution role to an existing function, follow the steps in Updating a function's execution role.\r\nGrant least privilege access to your Lambda execution role\r\nWhen you first create an IAM role for your Lambda function during the development phase, you might sometimes\r\ngrant permissions beyond what is required. Before publishing your function in the production environment, as a\r\nbest practice, adjust the policy to include only the required permissions. For more information, see Apply least-privilege permissions in the IAM User Guide.\r\nUse IAM Access Analyzer to help identify the required permissions for the IAM execution role policy. IAM\r\nAccess Analyzer reviews your AWS CloudTrail logs over the date range that you specify and generates a policy\r\ntemplate with only the permissions that the function used during that time. You can use the template to create a\r\nmanaged policy with fine-grained permissions, and then attach it to the IAM role. That way, you grant only the\r\npermissions that the role needs to interact with AWS resources for your specific use case.\r\nFor more information, see Generate policies based on access activity in the IAM User Guide.\r\nSource: https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html\r\nhttps://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html"
	],
	"report_names": [
		"lambda-intro-execution-role.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434545,
	"ts_updated_at": 1775791306,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2916dde8ff5249996c14ff7c6d140d0827f26174.pdf",
		"text": "https://archive.orkl.eu/2916dde8ff5249996c14ff7c6d140d0827f26174.txt",
		"img": "https://archive.orkl.eu/2916dde8ff5249996c14ff7c6d140d0827f26174.jpg"
	}
}