Enforce separate IAM roles for each Lambda function
provider "aws" {
region = "us-west-2"
}
resource "aws_iam_role" "iam_for_lambda" {
name = "iam_for_lambda"
assume_role_policy = <
In the above Terraform code, we have defined an AWS IAM role
iam_for_lambda and two AWS Lambda functions
lambda_function1 and
lambda_function2. Both of these Lambda functions are using the same IAM role
iam_for_lambda for execution.
The issue here is that if we need to add any specific permission to
lambda_function1, we would add it to the IAM role
iam_for_lambda. However, since
lambda_function2 is also using the same IAM role, it will also get the same permissions. This can lead to unnecessary access and potential security risks.
The best practice is to have separate IAM roles for each Lambda function. This way, we can manage the permissions for each function separately, reducing the risk of unnecessary access.
provider "aws" {
region = "us-west-2"
}
resource "aws_iam_role" "iam_for_lambda1" {
name = "iam_for_lambda1"
assume_role_policy = <
The updated code creates a separate IAM role for each Lambda function. This is done by defining two
aws_iam_role resource blocks, each with a unique name (
iam_for_lambda1 and
iam_for_lambda2).
The
aws_lambda_function resource blocks are then updated to use the respective IAM role ARNs for each Lambda function. This is done by setting the
role attribute to the ARN of the respective IAM role (
aws_iam_role.iam_for_lambda1.arn for
lambda_function1 and
aws_iam_role.iam_for_lambda2.arn for
lambda_function2).
This approach ensures that each Lambda function has its own dedicated IAM role, allowing for more granular control over permissions. This mitigates the risk of permissions being unintentionally shared across multiple functions, enhancing the security of the infrastructure.