Ref: https://learn.cantrill.io/courses/1820301/lectures/41301392 and https://learn.cantrill.io/courses/1820301/lectures/41301393

• Summary:
• Contents:

AWS Lambda - Security

Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/1600-SERVERLESS_and_APPLICATION_SERVICES/00_LEARNINGAIDS/Lambda-5.png

1. Lambda execution role
   • 🔧 IAM role assumed by Lambda function
   • Role's trust policy trusts Lambda
   • Role's permission policy grants/denies permissions to function
     • e.g. permissions to load data from DDB and store it in S3
2. Lambda resource policy
   • 🔧 Resource policy → controls which Principals can INVOKE lambda function
   • Can allow certain services (e.g. SNS, S3) or external accounts to invoke function

AWS Lambda - Monitoring

• Logs from function executions registered in CWLogs
  • ‼️ Lambda needs permissions via execution role to access CWLogs!!
    • if CWLogs doesn't contain Lambda logs, probably you forgot to give that permission
• Metrics (invocation success/failure, retries, latency…) stored in CW
  • Stored by default, no permission configuration needed
• Lambda can be integrated with AWS X-Ray for distributed tracing
  • e.g. trace the path of a user/session through a serverless app

AWS Lambda - Versioning and Aliases

• Versioning is supported for Lambda functions → v1, v2, v3…
  • Version includes code + config
• ❗ Versions are immutable → never change once published, each version has its own ARN
• Aliases (e.g. DEV, STAGE, PROD) point to a version
  • Can be updated to point to a different version
  • $Latest → built-in alias that points to latest version (automatically updated every time you create a new version)