Certified Security - Specialty
  1. Rooms
  2. Certified Security - Specialty

Sign Up Free or Log In to participate!

Is the “Function Policy” the same as a “Resource-based policy”?

Is the "Function Policy" as shown in the lab the old version of what is now called a "Resource-based policy"? 

In researching the documentation, I am >90% sure it is, however I haven’t seen it called out specifically anywhere. 

https://docs.aws.amazon.com/lambda/latest/dg/lambda-permissions.html

2 Answers

My console (May 10, 2020) is also showing a different version of lambda designer from the recording.

https://docs.aws.amazon.com/lambda/latest/dg/access-control-identity-based.html

Function policy is more for the upstream Lambda trigger (meaning who can fire this lambda) while

Resource-based policy is more for downstream lambda action (meaning which resources this lambda can act on).

====================================================================================

Just found the explanation to one of the chapter end questions:

The Function Policy defines which AWS resources are allowed to invoke a Lambda function. The Execution Role defines which resources your Lambda function has access to.

Further information:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html

https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html

Hi Tyler,

Based on my understanding, I would say you are right.

"Function Policy" and "Resource-based policy" are the same. Both are used in various AWS docs to define what (service) can call the Lambda function. I found a reference of both terms here: https://docs.aws.amazon.com/cli/latest/reference/lambda/add-permission.html

"[…] This action adds a statement to a resource-based permissions policy for the function. For more information about function policies, see Lambda Function Policies [link to https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html ] .[…]"

Personally, I would prefer "resource-based" policy and would avoid calling it "Function Policy", though, because it might be confusing and misleading.
For similar policies of other services, AWS uses the term "resource-based" policies, too. For example, S3 "bucket policy is a resource-based […] policy" (see: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-bucket-policy.html )

What is different, though, is the "Execution policy". This policy associated with an execution role defines what the Lambda function can access. https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html

Kind regards,

Rene

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization