securing-aws-lambda-execution-roles

# Securing AWS Lambda Execution Roles ## When to Use - When deploying new Lambda functions and defining their IAM execution roles - When remediating overly permissive Lambda roles discovered during security audits - When implementing least-privilege access patterns for serverless architectures - When building reusable IAM templates for Lambda functions across teams - When Security Hub or Prowler reports Lambda functions with excessive permissions **Do not use** for securing Lambda function invocation (use resource-based policies and API Gateway authorizers), for Lambda code security (use SAST tools), or for Lambda network security (use VPC configuration and security groups). ## Prerequisites - IAM permissions for policy creation, role modification, and Access Analyzer operations - AWS IAM Access Analyzer enabled in the account - CloudTrail data events enabled for Lambda to capture actual API usage - Existing Lambda functions to audit and scope permissions for - Understanding of each function's required AWS service interactions ## Workflow ### Step 1: Audit Current Lambda Execution Role Permissions Enumerate all Lambda functions and their associated IAM roles to identify over-privileged functions. ```bash # List all Lambda functions with their execution roles aws lambda list-functions \ --query 'Functions[*].[FunctionName,Role]' --output table # For each function, analyze attached policies for func in $(aws lambda list-functions --query 'Functions[*].FunctionName' ...