AWS lambda documentation change
Summary
Updated documentation about configuring Lambda execution roles in the console, including steps to create/select roles directly in Lambda interface rather than IAM console. Added UI-specific instructions like 'Create default role' and 'Use another role' options.
Security assessment
The changes emphasize using AWS-managed policies and proper role configuration, promoting security best practices like least-privilege permissions. However, there is no evidence of addressing a specific security vulnerability - this is a procedural documentation update about role management workflows.
Diff
diff --git a/lambda/latest/dg/lambda-intro-execution-role.md b/lambda/latest/dg/lambda-intro-execution-role.md index 1345459e1..c5db03f36 100644 --- a//lambda/latest/dg/lambda-intro-execution-role.md +++ b//lambda/latest/dg/lambda-intro-execution-role.md @@ -34 +34 @@ In order for Lambda to properly assume your execution role, the role's trust pol -By default, Lambda creates an execution role with minimal permissions when you [create a function in the Lambda console](./getting-started.html#getting-started-create-function). Specifically, this execution role includes the [`AWSLambdaBasicExecutionRole` managed policy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambdaBasicExecutionRole.html), which gives your function basic permissions to log events to Amazon CloudWatch Logs. +By default, Lambda creates an execution role with minimal permissions when you [create a function in the Lambda console](./getting-started.html#getting-started-create-function). Specifically, this execution role includes the [`AWSLambdaBasicExecutionRole` managed policy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambdaBasicExecutionRole.html), which gives your function basic permissions to log events to Amazon CloudWatch Logs. You can select **Create default role** in the **Permissions** section. @@ -36 +36 @@ By default, Lambda creates an execution role with minimal permissions when you [ -Your functions typically need additional permissions to perform more meaningful tasks. For example, you might have a Lambda function that responds to an event by updating entries in an Amazon DynamoDB database. You can create an execution role with the necessary permissions using the IAM console. +You can choose an existing role by selecting **Use another role** in the **Permissions** section. If your Lambda function needs additional permissions to perform tasks such as updating entries in an Amazon DynamoDB database in response to events, you can create a custom execution role with the necessary permissions. To do this, select **Use another role** in the **Permissions** section, which opens a drawer where you can customize your permissions. @@ -38 +38 @@ Your functions typically need additional permissions to perform more meaningful -###### To create an execution role in the IAM console +###### To configure an execution role from Console @@ -40 +40 @@ Your functions typically need additional permissions to perform more meaningful - 1. Open the [Roles page](https://console.aws.amazon.com/iam/home#/roles) in the IAM console. + 1. Enter a **role name** in the Role details section. @@ -42 +42 @@ Your functions typically need additional permissions to perform more meaningful - 2. Choose **Create role**. + 2. In the **Policy** section, select **Use existing policy**. @@ -44 +44 @@ Your functions typically need additional permissions to perform more meaningful - 3. Under **Trusted entity type** , choose **AWS service**. + 3. Select the AWS managed policies that you want to attach to your role. For example, if your function needs to access DynamoDB, select the **AWSLambdaDynamoDBExecutionRole** managed policy. @@ -46 +46 @@ Your functions typically need additional permissions to perform more meaningful - 4. Under **Use case** , choose **Lambda**. + 4. Choose **Create role**. @@ -48 +47,0 @@ Your functions typically need additional permissions to perform more meaningful - 5. Choose **Next**. @@ -50 +48,0 @@ Your functions typically need additional permissions to perform more meaningful - 6. Select the AWS managed policies that you want to attach to your role. For example, if your function needs to access DynamoDB, select the **AWSLambdaDynamoDBExecutionRole** managed policy. @@ -52 +49,0 @@ Your functions typically need additional permissions to perform more meaningful - 7. Choose **Next**. @@ -54,8 +51 @@ Your functions typically need additional permissions to perform more meaningful - 8. Enter a **Role name** and then choose **Create role**. - - - - -For detailed instructions, see [Creating a role for an AWS service (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console) in the _IAM User Guide_. - -After you create your execution role, attach it to your function. When you [create a function in the Lambda console](./getting-started.html#getting-started-create-function), you can attach any execution role that you previously created to the function. If you want to attach a new execution role to an existing function, follow the steps in [Updating a function's execution role](./permissions-executionrole-update.html#update-execution-role). +Alternatively, when you [create a function in the Lambda console](https://docs.aws.amazon.com/lambda/latest/dg/getting-started.html#getting-started-create-function), you can attach any execution role that you previously created to the function. If you want to attach a new execution role to an existing function, follow the steps in [Updating a function's execution role](./permissions-executionrole-update.html).