securing-aws-lambda-execution-roles
Securing AWS Lambda execution roles by implementing least-privilege IAM policies, applying permission boundaries, restricting resource-based policies, using IAM Access Analyzer to validate permissions, and enforcing role scoping through SCPs.
Best use case
securing-aws-lambda-execution-roles is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Securing AWS Lambda execution roles by implementing least-privilege IAM policies, applying permission boundaries, restricting resource-based policies, using IAM Access Analyzer to validate permissions, and enforcing role scoping through SCPs.
Teams using securing-aws-lambda-execution-roles should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/securing-aws-lambda-execution-roles/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How securing-aws-lambda-execution-roles Compares
| Feature / Agent | securing-aws-lambda-execution-roles | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Securing AWS Lambda execution roles by implementing least-privilege IAM policies, applying permission boundaries, restricting resource-based policies, using IAM Access Analyzer to validate permissions, and enforcing role scoping through SCPs.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
AI Agents for Marketing
Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.
AI Agents for Startups
Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.
SKILL.md Source
# Securing AWS Lambda Execution Roles
## When to Use
- When deploying new Lambda functions and defining their IAM execution roles
- When remediating overly permissive Lambda roles discovered during security audits
- When implementing least-privilege access patterns for serverless architectures
- When building reusable IAM templates for Lambda functions across teams
- When Security Hub or Prowler reports Lambda functions with excessive permissions
**Do not use** for securing Lambda function invocation (use resource-based policies and API Gateway authorizers), for Lambda code security (use SAST tools), or for Lambda network security (use VPC configuration and security groups).
## Prerequisites
- IAM permissions for policy creation, role modification, and Access Analyzer operations
- AWS IAM Access Analyzer enabled in the account
- CloudTrail data events enabled for Lambda to capture actual API usage
- Existing Lambda functions to audit and scope permissions for
- Understanding of each function's required AWS service interactions
## Workflow
### Step 1: Audit Current Lambda Execution Role Permissions
Enumerate all Lambda functions and their associated IAM roles to identify over-privileged functions.
```bash
# List all Lambda functions with their execution roles
aws lambda list-functions \
--query 'Functions[*].[FunctionName,Role]' --output table
# For each function, analyze attached policies
for func in $(aws lambda list-functions --query 'Functions[*].FunctionName' --output text); do
role_arn=$(aws lambda get-function-configuration --function-name "$func" --query 'Role' --output text)
role_name=$(echo "$role_arn" | awk -F'/' '{print $NF}')
echo "=== $func -> $role_name ==="
# Check for AWS managed policies (often too broad)
aws iam list-attached-role-policies --role-name "$role_name" \
--query 'AttachedPolicies[*].[PolicyName,PolicyArn]' --output table
# Check inline policies
for policy in $(aws iam list-role-policies --role-name "$role_name" --query 'PolicyNames' --output text); do
echo " Inline: $policy"
aws iam get-role-policy --role-name "$role_name" --policy-name "$policy" \
--query 'PolicyDocument' --output json
done
done
```
### Step 2: Analyze Actual API Usage with CloudTrail
Use CloudTrail and IAM Access Analyzer to determine which API actions the function actually uses.
```bash
# Query CloudTrail for actual API calls made by a Lambda execution role
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=Username,AttributeValue=LAMBDA_ROLE_NAME \
--start-time 2026-01-23T00:00:00Z \
--end-time 2026-02-23T00:00:00Z \
--query 'Events[*].[EventTime,EventName,EventSource]' \
--output table | sort -k2 | uniq -f1
# Use IAM Access Analyzer policy generation (based on CloudTrail activity)
aws accessanalyzer start-policy-generation \
--policy-generation-details '{
"principalArn": "arn:aws:iam::ACCOUNT:role/lambda-execution-role",
"cloudTrailDetails": {
"trailArn": "arn:aws:cloudtrail:us-east-1:ACCOUNT:trail/management-trail",
"startTime": "2026-01-23T00:00:00Z",
"endTime": "2026-02-23T00:00:00Z"
}
}'
# Check the generated policy
aws accessanalyzer get-generated-policy \
--job-id JOB_ID \
--query 'generatedPolicyResult.generatedPolicies[*].policy'
```
### Step 3: Create Least-Privilege Execution Policies
Build scoped IAM policies that grant only the specific actions and resources each function needs.
```bash
# Example: Scoped policy for a function that reads from S3 and writes to DynamoDB
cat > lambda-scoped-policy.json << 'EOF'
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadInputBucket",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::input-data-bucket",
"arn:aws:s3:::input-data-bucket/*"
]
},
{
"Sid": "WriteDynamoDB",
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:BatchWriteItem"
],
"Resource": "arn:aws:dynamodb:us-east-1:ACCOUNT:table/results-table"
},
{
"Sid": "CloudWatchLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:ACCOUNT:log-group:/aws/lambda/my-function:*"
}
]
}
EOF
# Create the policy
aws iam create-policy \
--policy-name lambda-my-function-policy \
--policy-document file://lambda-scoped-policy.json
# Create execution role with scoped trust policy
cat > lambda-trust-policy.json << 'EOF'
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"Service": "lambda.amazonaws.com"},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "ACCOUNT_ID"
}
}
}]
}
EOF
aws iam create-role \
--role-name lambda-my-function-role \
--assume-role-policy-document file://lambda-trust-policy.json
aws iam attach-role-policy \
--role-name lambda-my-function-role \
--policy-arn arn:aws:iam::ACCOUNT:policy/lambda-my-function-policy
```
### Step 4: Apply Permission Boundaries
Implement permission boundaries to set maximum permissions for Lambda execution roles.
```bash
# Create a permission boundary that caps Lambda role capabilities
cat > lambda-permission-boundary.json << 'EOF'
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowedServices",
"Effect": "Allow",
"Action": [
"s3:GetObject", "s3:PutObject", "s3:ListBucket",
"dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:UpdateItem",
"sqs:SendMessage", "sqs:ReceiveMessage", "sqs:DeleteMessage",
"sns:Publish",
"secretsmanager:GetSecretValue",
"kms:Decrypt", "kms:GenerateDataKey",
"logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents",
"xray:PutTraceSegments", "xray:PutTelemetryRecords"
],
"Resource": "*"
},
{
"Sid": "DenyPrivilegeEscalation",
"Effect": "Deny",
"Action": [
"iam:CreateUser", "iam:CreateRole", "iam:CreatePolicy",
"iam:AttachRolePolicy", "iam:AttachUserPolicy",
"iam:PutRolePolicy", "iam:PutUserPolicy",
"iam:CreateAccessKey", "iam:PassRole",
"lambda:CreateFunction", "lambda:UpdateFunctionConfiguration",
"sts:AssumeRole"
],
"Resource": "*"
}
]
}
EOF
# Create and apply the boundary
aws iam create-policy \
--policy-name lambda-permission-boundary \
--policy-document file://lambda-permission-boundary.json
aws iam put-role-permissions-boundary \
--role-name lambda-my-function-role \
--permissions-boundary arn:aws:iam::ACCOUNT:policy/lambda-permission-boundary
```
### Step 5: Validate Policies with IAM Access Analyzer
Use Access Analyzer to validate policies for security best practices.
```bash
# Validate the scoped policy
aws accessanalyzer validate-policy \
--policy-document file://lambda-scoped-policy.json \
--policy-type IDENTITY_POLICY \
--query 'findings[*].[findingType,issueCode,learnMoreLink]' --output table
# Check for unused access
aws accessanalyzer check-no-new-access \
--new-policy-document file://lambda-scoped-policy.json \
--existing-policy-document file://old-broad-policy.json \
--policy-type IDENTITY_POLICY
# Verify the permission boundary effectiveness
aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::ACCOUNT:role/lambda-my-function-role \
--action-names iam:CreateUser iam:PassRole s3:GetObject dynamodb:PutItem \
--query 'EvaluationResults[*].[EvalActionName,EvalDecision]' --output table
```
### Step 6: Enforce Role Standards with SCPs
Apply Service Control Policies to prevent Lambda functions from using overly broad roles.
```bash
# SCP to deny Lambda functions using AdministratorAccess
cat > scp-deny-lambda-admin.json << 'EOF'
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyLambdaAdminRole",
"Effect": "Deny",
"Action": "lambda:CreateFunction",
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"lambda:FunctionArn": "*"
},
"ArnLike": {
"iam:PassedToService": "lambda.amazonaws.com"
}
}
},
{
"Sid": "RequirePermissionBoundary",
"Effect": "Deny",
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::*:role/lambda-*",
"Condition": {
"StringNotEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::*:policy/lambda-permission-boundary"
}
}
}]
}
EOF
aws organizations create-policy \
--name "lambda-role-guardrails" \
--type SERVICE_CONTROL_POLICY \
--content file://scp-deny-lambda-admin.json
```
## Key Concepts
| Term | Definition |
|------|------------|
| Execution Role | IAM role assumed by Lambda during function execution that defines all AWS API actions the function can perform |
| Least Privilege | Security principle of granting only the minimum permissions required for a function to perform its intended operations |
| Permission Boundary | IAM policy that sets the maximum permissions an execution role can have, even if identity policies grant broader access |
| IAM Access Analyzer | AWS service that generates least-privilege policies based on actual CloudTrail usage and validates policies for security issues |
| Resource-Scoped Policy | IAM policy that specifies exact resource ARNs rather than wildcards, limiting access to only the specific resources needed |
| Confused Deputy Prevention | Adding `aws:SourceAccount` or `aws:SourceArn` conditions to trust policies to prevent cross-account role assumption attacks |
## Tools & Systems
- **IAM Access Analyzer**: Generates least-privilege policies from CloudTrail data and validates policy security
- **IAM Policy Simulator**: Tests effective permissions for a role against specific API actions before deployment
- **CloudTrail**: Audit log of all API calls used to determine actual function permission usage
- **Prowler**: Security tool with Lambda-specific checks for role permissions and configuration
- **Checkov**: Infrastructure-as-code scanner that validates Lambda IAM policies in CloudFormation/Terraform
## Common Scenarios
### Scenario: Reducing a Lambda Function from AdministratorAccess to Least Privilege
**Context**: A security audit finds 12 Lambda functions using a shared execution role with `AdministratorAccess`. The team needs to scope each function to minimum required permissions without breaking production.
**Approach**:
1. Enable CloudTrail data events for Lambda to capture actual API usage per function
2. Wait 30 days to collect a representative sample of API calls
3. Use IAM Access Analyzer policy generation for each function's role usage
4. Create individual scoped policies for each function based on actual API usage
5. Apply permission boundaries to cap maximum permissions
6. Deploy scoped roles to staging and run integration tests
7. Roll out to production with canary deployment and rollback plan
8. Validate with IAM Policy Simulator before removing the old broad role
**Pitfalls**: Some Lambda functions may have infrequent code paths that only trigger monthly (batch jobs, error handlers). A 30-day observation window may miss rare API calls. Review the function code alongside CloudTrail data to identify all potential API calls. Use Access Analyzer's policy validation rather than relying solely on generated policies.
## Output Format
```
Lambda Execution Role Security Report
========================================
Account: 123456789012
Review Date: 2026-02-23
Functions Audited: 34
ROLE PERMISSION SUMMARY:
Functions with AdministratorAccess: 3 (CRITICAL)
Functions with PowerUserAccess: 5 (HIGH)
Functions with wildcard actions: 12 (MEDIUM)
Functions with scoped policies: 14 (OK)
REMEDIATION PROGRESS:
[x] payment-processor: Scoped to DynamoDB + S3 + KMS (3 actions)
[x] order-notification: Scoped to SNS + SES (2 actions)
[ ] data-pipeline: Generating policy from 30-day CloudTrail data
[ ] image-resizer: Awaiting staging validation
PERMISSION BOUNDARY STATUS:
Functions with boundary applied: 14 / 34
Functions without boundary: 20 / 34
POLICY VALIDATION RESULTS:
Policies with security warnings: 4
Policies with errors: 0
Policies with suggestions: 12
```Related Skills
securing-serverless-functions
This skill covers security hardening for serverless compute platforms including AWS Lambda, Azure Functions, and Google Cloud Functions. It addresses least privilege IAM roles, dependency vulnerability scanning, secrets management integration, input validation, function URL authentication, and runtime monitoring to protect against injection attacks, credential theft, and supply chain compromises.
securing-remote-access-to-ot-environment
This skill covers implementing secure remote access to OT/ICS environments for operators, engineers, and vendors while preventing unauthorized access that could compromise industrial operations. It addresses jump server architecture, multi-factor authentication, session recording, privileged access management, vendor remote access controls, and compliance with IEC 62443 and NERC CIP-005 remote access requirements.
securing-kubernetes-on-cloud
This skill covers hardening managed Kubernetes clusters on EKS, AKS, and GKE by implementing Pod Security Standards, network policies, workload identity, RBAC scoping, image admission controls, and runtime security monitoring. It addresses cloud-specific security features including IRSA for EKS, Workload Identity for GKE, and Managed Identities for AKS.
securing-historian-server-in-ot-environment
This skill covers hardening and securing process historian servers (OSIsoft PI, Honeywell PHD, GE Proficy, AVEVA Historian) in OT environments. It addresses network placement across Purdue levels, access control for historian interfaces, data replication through DMZ using data diodes or PI-to-PI connectors, SQL injection prevention in historian queries, and integrity protection of process data used for safety analysis, regulatory reporting, and process optimization.
securing-helm-chart-deployments
Secure Helm chart deployments by validating chart integrity, scanning templates for misconfigurations, and enforcing security contexts in Kubernetes releases.
securing-github-actions-workflows
This skill covers hardening GitHub Actions workflows against supply chain attacks, credential theft, and privilege escalation. It addresses pinning actions to SHA digests, minimizing GITHUB_TOKEN permissions, protecting secrets from exfiltration, preventing script injection in workflow expressions, and implementing required reviewers for workflow changes.
securing-container-registry-with-harbor
Harbor is an open-source container registry that provides security features including vulnerability scanning (integrated Trivy), image signing (Notary/Cosign), RBAC, content trust policies, replicatio
securing-container-registry-images
Securing container registry images by implementing vulnerability scanning with Trivy and Grype, enforcing image signing with Cosign and Sigstore, configuring registry access controls, and building CI/CD pipelines that prevent deploying unscanned or unsigned images.
securing-azure-with-microsoft-defender
This skill instructs security practitioners on deploying Microsoft Defender for Cloud as a cloud-native application protection platform for Azure, multi-cloud, and hybrid environments. It covers enabling Defender plans for servers, containers, storage, and databases, configuring security recommendations, managing Secure Score, and integrating with the unified Defender portal for centralized threat management.
securing-aws-iam-permissions
This skill guides practitioners through hardening AWS Identity and Access Management configurations to enforce least privilege access across cloud accounts. It covers IAM policy scoping, permission boundaries, Access Analyzer integration, and credential rotation strategies to reduce the blast radius of compromised identities.
securing-api-gateway-with-aws-waf
Securing API Gateway endpoints with AWS WAF by configuring managed rule groups for OWASP Top 10 protection, creating custom rate limiting rules, implementing bot control, setting up IP reputation filtering, and monitoring WAF metrics for security effectiveness.
implementing-container-image-minimal-base-with-distroless
Reduce container attack surface by building application images on Google distroless base images that contain only the application runtime with no shell, package manager, or unnecessary OS utilities.