We use the serverless framework and a week or two ago we received the message below from AWS. I haven’t seen any discussion about this anywhere, which is puzzling because it seems like it’s a policy change that would affect more than a few people. The instructions are fairly clear but since this stuff is managed through the serverless framework I’d assume there’s either some update that must be made to the framework or something we need to change on our end in config. Has anyone else received this message, or otherwise know what action is best here?
Message from AWS:
Hello,
You are receiving this email because AWS Lambda is making a change to the IAM policy evaluation when accessing Lambda function APIs, and we identified that your account will be impacted by this change.
We would like to offer some background about usage of Lambda function APIs. A Lambda function may include versions [1] and aliases [2] which are sub-resources of a function. You can operate on versions and aliases using the Lambda function APIs in one of two ways:
(1) You can either append the version number or alias name as a suffix to the function ARN. We will refer to this as a “qualified” Amazon Resource Name (ARN); or
(2) You can specify only the function ARN (we refer to this as an “unqualified” ARN), and add a separate “qualifier” parameter in the API command. For example, a function “helloworld” with version “42” can be passed into API request using the function ARN as arn:aws:lambda:aws-region:acct-id:function:helloworld:42 or arn:aws:lambda:aws-region:acct-id:function:helloworld, Qualifier=42. These call types are equivalent.
Currently, you can restrict the scope of a user’s permissions to the Lambda function APIs by using an unqualified ARN in the Resource element of your IAM or VPC endpoint policy. Previously, when used in this way, Lambda interpreted such permissions in one of two ways depending on the API usage. Either by granting permission to requests to the function only, or granting permissions to requests to the function and all of its sub-resources. For example, when using IAM or VPC endpoint policy with resource element as unqualified ARN, arn:aws:lambda:aws-region:acct-id:function:helloworld, API Request(s) with qualified ARN as arn:aws:lambda:aws-region:acct-id:function:helloworld:42 is denied and the request using arn:aws:lambda:aws-region:acct-id:function:helloworld, Qualifier=42 is allowed. We received customer feedback that this dual interpretation was not always intuitive. To address this feedback and increase the consistency of the Lambda function APIs authorization, starting January 24, 2022, Lambda requires IAM or VPC endpoint policies to specify the fully qualified ARN in the Resource element when authorizing API calls that use an unqualified ARN with a qualifier parameter.
We identified that your AWS account calls AWS Lambda APIs using the unqualified ARN with a qualifier parameter while the associated permissions for the user who makes these API calls use the unqualified ARN in the policy’s Resource element. To continue making these API calls successfully, you need to append the version number, alias name to the unqualified function ARN in your policy’s Resource element. To allow access to all the sub-resources of a function, append “:” and “" to the unqualified function ARN and to allow access to both function (unqualified ARN) and all sub-resources of a function, append "” to the unqualified function ARN. Additionally, you need to ensure the updated policies are used by the IAM users/roles that make the Lambda API calls. Please find the following instructions on how to make this change.
This change will begin on April 30, 2022, to give you ample time to update your IAM policies or permissions attached to the users and roles that call Lambda APIs before that. We have also provided a list of your affected resources in the US-EAST-1 Region at the end of this message to make it easier to locate and update them. If you do not take this action by April 30, 2022, Lambda API calls will fail with permission errors.
Steps to update your IAM policies:
The list of affected function ARN, region, qualifier value used in the qualifier parameter, Lambda API name are provided to you in format “API operation | function excluding qualifier | qualifier”.
Starting at the IAM Console, go to Policies.
Look for policies that match Resource field as function ARN. For example, If the function ARN is arn:aws:lambda:aws-region:acct-id:function:my-function, find policies where Resource field contains “function:my-function”.
For the matching policies, Click on the “Edit Policy” button and select JSON.
Change the Resource field from “Resource”: [“arn:aws:lambda:aws-region:acct-id:function:my-function” ] to “Resource”: [“arn:aws:lambda:aws-region:acct-id:function:my-function:stage”] to authorize access to a function alias (in this example “stage” is the name of the alias).
Alternatively, change the Resource field to “Resource”: [“arn:aws:lambda:aws-region:acct-id:function:my-function:1”] to authorize access to a specific function version (in this example “1” is the version number).
To allow access to all sub-resources of a function, append “:” and “" to function name by changing the Resource field to “Resource”: ["arn:aws:lambda:aws-region:acct-id:function:my-function:” ].
To allow access to function (unqualified ARN) and it’s sub-resources, append “" to function name by changing the Resource field to “Resource”: ["arn:aws:lambda:aws-region:acct-id:myFunction”].
Click Review Policy and Save.