AWS Lambda

2024/09/17 - AWS Lambda - 5 new api methods

Changes  Support for JSON resource-based policies and block public access

PutResourcePolicy (new) Link ¶

Adds a resource-based policy to a function. You can use resource-based policies to grant access to other Amazon Web Services accounts, organizations, or services. Resource-based policies apply to a single function, version, or alias.

Warning

Adding a resource-based policy using this API action replaces any existing policy you've previously created. This means that if you've previously added resource-based permissions to a function using the AddPermission action, those permissions will be overwritten by your new policy.

See also: AWS API Documentation

Request Syntax

client.put_resource_policy(
    ResourceArn='string',
    Policy='string',
    RevisionId='string'
)
type ResourceArn

string

param ResourceArn

[REQUIRED]

The Amazon Resource Name (ARN) of the function you want to add the policy to. You can use either a qualified or an unqualified ARN, but the value you specify must be a complete ARN and wildcard characters are not accepted.

type Policy

string

param Policy

[REQUIRED]

The JSON resource-based policy you want to add to your function.

To learn more about creating resource-based policies for controlling access to Lambda, see Working with resource-based IAM policies in Lambda in the Lambda Developer Guide .

type RevisionId

string

param RevisionId

Replace the existing policy only if its revision ID matches the string you specify. To find the revision ID of the policy currently attached to your function, use the GetResourcePolicy action.

rtype

dict

returns

Response Syntax

{
    'Policy': 'string',
    'RevisionId': 'string'
}

Response Structure

  • (dict) --

    • Policy (string) --

      The policy Lambda added to your function.

    • RevisionId (string) --

      The revision ID of the policy Lambda added to your function.

PutPublicAccessBlockConfig (new) Link ¶

Configure your function's public-access settings.

To control public access to a Lambda function, you can choose whether to allow the creation of resource-based policies that allow public access to that function. You can also block public access to a function, even if it has an existing resource-based policy that allows it.

See also: AWS API Documentation

Request Syntax

client.put_public_access_block_config(
    ResourceArn='string',
    PublicAccessBlockConfig={
        'BlockPublicPolicy': True|False,
        'RestrictPublicResource': True|False
    }
)
type ResourceArn

string

param ResourceArn

[REQUIRED]

The Amazon Resource Name (ARN) of the function you want to configure public-access settings for. Public-access settings are applied at the function level, so you can't apply different settings to function versions or aliases.

type PublicAccessBlockConfig

dict

param PublicAccessBlockConfig

[REQUIRED]

An object defining the public-access settings you want to apply.

To block the creation of resource-based policies that would grant public access to your function, set BlockPublicPolicy to true . To allow the creation of resource-based policies that would grant public access to your function, set BlockPublicPolicy to false .

To block public access to your function, even if its resource-based policy allows it, set RestrictPublicResource to true . To allow public access to a function with a resource-based policy that permits it, set RestrictPublicResource to false .

The default setting for both BlockPublicPolicy and RestrictPublicResource is true .

  • BlockPublicPolicy (boolean) --

    To block the creation of resource-based policies that would grant public access to your function, set BlockPublicPolicy to true . To allow the creation of resource-based policies that would grant public access to your function, set BlockPublicPolicy to false .

  • RestrictPublicResource (boolean) --

    To block public access to your function, even if its resource-based policy allows it, set RestrictPublicResource to true . To allow public access to a function with a resource-based policy that permits it, set RestrictPublicResource to false .

rtype

dict

returns

Response Syntax

{
    'PublicAccessBlockConfig': {
        'BlockPublicPolicy': True|False,
        'RestrictPublicResource': True|False
    }
}

Response Structure

  • (dict) --

    • PublicAccessBlockConfig (dict) --

      The public-access settings Lambda applied to your function.

      • BlockPublicPolicy (boolean) --

        To block the creation of resource-based policies that would grant public access to your function, set BlockPublicPolicy to true . To allow the creation of resource-based policies that would grant public access to your function, set BlockPublicPolicy to false .

      • RestrictPublicResource (boolean) --

        To block public access to your function, even if its resource-based policy allows it, set RestrictPublicResource to true . To allow public access to a function with a resource-based policy that permits it, set RestrictPublicResource to false .

GetResourcePolicy (new) Link ¶

Retrieves the resource-based policy attached to a function.

See also: AWS API Documentation

Request Syntax

client.get_resource_policy(
    ResourceArn='string'
)
type ResourceArn

string

param ResourceArn

[REQUIRED]

The Amazon Resource Name (ARN) of the function you want to retrieve the policy for. You can use either a qualified or an unqualified ARN, but the value you specify must be a complete ARN and wildcard characters are not accepted.

rtype

dict

returns

Response Syntax

{
    'Policy': 'string',
    'RevisionId': 'string'
}

Response Structure

  • (dict) --

    • Policy (string) --

      The resource-based policy attached to the function you specified.

    • RevisionId (string) --

      The revision ID of the policy.

DeleteResourcePolicy (new) Link ¶

Deletes a resource-based policy from a function.

See also: AWS API Documentation

Request Syntax

client.delete_resource_policy(
    ResourceArn='string',
    RevisionId='string'
)
type ResourceArn

string

param ResourceArn

[REQUIRED]

The Amazon Resource Name (ARN) of the function you want to delete the policy from. You can use either a qualified or an unqualified ARN, but the value you specify must be a complete ARN and wildcard characters are not accepted.

type RevisionId

string

param RevisionId

Delete the existing policy only if its revision ID matches the string you specify. To find the revision ID of the policy currently attached to your function, use the GetResourcePolicy action.

returns

None

GetPublicAccessBlockConfig (new) Link ¶

Retrieve the public-access settings for a function.

See also: AWS API Documentation

Request Syntax

client.get_public_access_block_config(
    ResourceArn='string'
)
type ResourceArn

string

param ResourceArn

[REQUIRED]

The Amazon Resource Name (ARN) of the function you want to retrieve public-access settings for.

rtype

dict

returns

Response Syntax

{
    'PublicAccessBlockConfig': {
        'BlockPublicPolicy': True|False,
        'RestrictPublicResource': True|False
    }
}

Response Structure

  • (dict) --

    • PublicAccessBlockConfig (dict) --

      The public-access settings configured for the function you specified

      • BlockPublicPolicy (boolean) --

        To block the creation of resource-based policies that would grant public access to your function, set BlockPublicPolicy to true . To allow the creation of resource-based policies that would grant public access to your function, set BlockPublicPolicy to false .

      • RestrictPublicResource (boolean) --

        To block public access to your function, even if its resource-based policy allows it, set RestrictPublicResource to true . To allow public access to a function with a resource-based policy that permits it, set RestrictPublicResource to false .