--- title: Lambda functions without unique IAM roles description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Lambda functions without unique IAM roles --- # Lambda functions without unique IAM roles {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-lambda-functions-without-unique-iam-roles` **Provider:** AWS **Platform:** CloudFormation **Severity:** High **Category:** Insecure Configurations #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html) ### Description{% #description %} Lambda functions must not share the same IAM role because sharing roles expands each function's effective permissions beyond what it needs and increases the blast radius if the role is compromised. This rule inspects `AWS::Lambda::Function` resources and their `Properties.Role`. Each function should reference a distinct IAM role (a unique `AWS::IAM::Role` resource or a unique role ARN). Resources where `Properties.Role` is identical to another function's role will be flagged, including identical ARNs, a `Ref` to the same role resource, or equivalent `Fn::GetAtt` results. To remediate, assign separate IAM role resources per function or narrow policies so roles are not reused across multiple functions. Secure configuration example (each function has its own role): ```yaml Function1Role: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Function1: Type: AWS::Lambda::Function Properties: FunctionName: function-1 Runtime: python3.11 Role: !GetAtt Function1Role.Arn Handler: index.handler Code: ZipFile: | def handler(event, context): return {} Function2Role: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Function2: Type: AWS::Lambda::Function Properties: FunctionName: function-2 Runtime: python3.11 Role: !GetAtt Function2Role.Arn Handler: index.handler Code: ZipFile: | def handler(event, context): return {} ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml AWSTemplateFormatVersion: '2010-09-09' Description: Lambda function with cfn-response. Resources: Primer01: Type: AWS::Lambda::Function Properties: Runtime: nodejs12.x Role: arn:aws:iam::123456789012:role/lambda-role Handler: index.handler Code: ZipFile: | var aws = require('aws-sdk') var response = require('cfn-response') exports.handler = function(event, context) { console.log("REQUEST RECEIVED:\n" + JSON.stringify(event)) // For Delete requests, immediately send a SUCCESS response. if (event.RequestType == "Delete") { response.send(event, context, "SUCCESS") return } var responseStatus = "FAILED" var responseData = {} var functionName = event.ResourceProperties.FunctionName var lambda = new aws.Lambda() lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) { if (err) { responseData = {Error: "Invoke call failed"} console.log(responseData.Error + ":\n", err) } else responseStatus = "SUCCESS" response.send(event, context, responseStatus, responseData) }) } Description: Invoke a function during stack creation. TracingConfig: Mode: Active Primer02: Type: AWS::Lambda::Function Properties: Runtime: nodejs12.x Role: arn:aws:iam::123456789012:role/lambda-ex Handler: index.handler Code: ZipFile: | var aws = require('aws-sdk') var response = require('cfn-response') exports.handler = function(event, context) { console.log("REQUEST RECEIVED:\n" + JSON.stringify(event)) // For Delete requests, immediately send a SUCCESS response. if (event.RequestType == "Delete") { response.send(event, context, "SUCCESS") return } var responseStatus = "FAILED" var responseData = {} var functionName = event.ResourceProperties.FunctionName var lambda = new aws.Lambda() lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) { if (err) { responseData = {Error: "Invoke call failed"} console.log(responseData.Error + ":\n", err) } else responseStatus = "SUCCESS" response.send(event, context, responseStatus, responseData) }) } Description: Invoke a function during stack creation. TracingConfig: Mode: Active ``` ```json { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Lambda function with cfn-response.", "Resources": { "Primer01": { "Type": "AWS::Lambda::Function", "Properties": { "Runtime": "nodejs12.x", "Role": "arn:aws:iam::123456789012:role/lambda-role", "Handler": "index.handler", "Code": { "ZipFile": "var aws = require('aws-sdk')\nvar response = require('cfn-response')\nexports.handler = function(event, context) {\n console.log(\"REQUEST RECEIVED:\\n\" + JSON.stringify(event))\n // For Delete requests, immediately send a SUCCESS response.\n if (event.RequestType == \"Delete\") {\n response.send(event, context, \"SUCCESS\")\n return\n }\n var responseStatus = \"FAILED\"\n var responseData = {}\n var functionName = event.ResourceProperties.FunctionName\n var lambda = new aws.Lambda()\n lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) {\n if (err) {\n responseData = {Error: \"Invoke call failed\"}\n console.log(responseData.Error + \":\\n\", err)\n }\n else responseStatus = \"SUCCESS\"\n response.send(event, context, responseStatus, responseData)\n })\n}\n" }, "Description": "Invoke a function during stack creation.", "TracingConfig": { "Mode": "Active" } } }, "Primer02": { "Type": "AWS::Lambda::Function", "Properties": { "TracingConfig": { "Mode": "Active" }, "Runtime": "nodejs12.x", "Role": "arn:aws:iam::123456789012:role/lambda-ex", "Handler": "index.handler", "Code": { "ZipFile": "var aws = require('aws-sdk')\nvar response = require('cfn-response')\nexports.handler = function(event, context) {\n console.log(\"REQUEST RECEIVED:\\n\" + JSON.stringify(event))\n // For Delete requests, immediately send a SUCCESS response.\n if (event.RequestType == \"Delete\") {\n response.send(event, context, \"SUCCESS\")\n return\n }\n var responseStatus = \"FAILED\"\n var responseData = {}\n var functionName = event.ResourceProperties.FunctionName\n var lambda = new aws.Lambda()\n lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) {\n if (err) {\n responseData = {Error: \"Invoke call failed\"}\n console.log(responseData.Error + \":\\n\", err)\n }\n else responseStatus = \"SUCCESS\"\n response.send(event, context, responseStatus, responseData)\n })\n}\n" }, "Description": "Invoke a function during stack creation." } } } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml AWSTemplateFormatVersion: '2010-09-09' Description: Lambda function with cfn-response. Resources: Primer01: Type: AWS::Lambda::Function Properties: Runtime: nodejs12.x Role: arn:aws:iam::123456789012:role/lambda-role Handler: index.handler Code: ZipFile: | var aws = require('aws-sdk') var response = require('cfn-response') exports.handler = function(event, context) { console.log("REQUEST RECEIVED:\n" + JSON.stringify(event)) // For Delete requests, immediately send a SUCCESS response. if (event.RequestType == "Delete") { response.send(event, context, "SUCCESS") return } var responseStatus = "FAILED" var responseData = {} var functionName = event.ResourceProperties.FunctionName var lambda = new aws.Lambda() lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) { if (err) { responseData = {Error: "Invoke call failed"} console.log(responseData.Error + ":\n", err) } else responseStatus = "SUCCESS" response.send(event, context, responseStatus, responseData) }) } Description: Invoke a function during stack creation. TracingConfig: Mode: Active Primer02: Type: AWS::Lambda::Function Properties: Runtime: nodejs12.x Role: arn:aws:iam::123456789012:role/lambda-role Handler: index.handler Code: ZipFile: | var aws = require('aws-sdk') var response = require('cfn-response') exports.handler = function(event, context) { console.log("REQUEST RECEIVED:\n" + JSON.stringify(event)) // For Delete requests, immediately send a SUCCESS response. if (event.RequestType == "Delete") { response.send(event, context, "SUCCESS") return } var responseStatus = "FAILED" var responseData = {} var functionName = event.ResourceProperties.FunctionName var lambda = new aws.Lambda() lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) { if (err) { responseData = {Error: "Invoke call failed"} console.log(responseData.Error + ":\n", err) } else responseStatus = "SUCCESS" response.send(event, context, responseStatus, responseData) }) } Description: Invoke a function during stack creation. TracingConfig: Mode: Active ``` ```json { "AWSTemplateFormatVersion": "2010-09-09", "Description": "Lambda function with cfn-response.", "Resources": { "Primer01": { "Properties": { "Role": "arn:aws:iam::123456789012:role/lambda-role", "Handler": "index.handler", "Code": { "ZipFile": "var aws = require('aws-sdk')\nvar response = require('cfn-response')\nexports.handler = function(event, context) {\n console.log(\"REQUEST RECEIVED:\\n\" + JSON.stringify(event))\n // For Delete requests, immediately send a SUCCESS response.\n if (event.RequestType == \"Delete\") {\n response.send(event, context, \"SUCCESS\")\n return\n }\n var responseStatus = \"FAILED\"\n var responseData = {}\n var functionName = event.ResourceProperties.FunctionName\n var lambda = new aws.Lambda()\n lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) {\n if (err) {\n responseData = {Error: \"Invoke call failed\"}\n console.log(responseData.Error + \":\\n\", err)\n }\n else responseStatus = \"SUCCESS\"\n response.send(event, context, responseStatus, responseData)\n })\n}\n" }, "Description": "Invoke a function during stack creation.", "TracingConfig": { "Mode": "Active" }, "Runtime": "nodejs12.x" }, "Type": "AWS::Lambda::Function" }, "Primer02": { "Type": "AWS::Lambda::Function", "Properties": { "Runtime": "nodejs12.x", "Role": "arn:aws:iam::123456789012:role/lambda-role", "Handler": "index.handler", "Code": { "ZipFile": "var aws = require('aws-sdk')\nvar response = require('cfn-response')\nexports.handler = function(event, context) {\n console.log(\"REQUEST RECEIVED:\\n\" + JSON.stringify(event))\n // For Delete requests, immediately send a SUCCESS response.\n if (event.RequestType == \"Delete\") {\n response.send(event, context, \"SUCCESS\")\n return\n }\n var responseStatus = \"FAILED\"\n var responseData = {}\n var functionName = event.ResourceProperties.FunctionName\n var lambda = new aws.Lambda()\n lambda.invoke({ FunctionName: functionName }, function(err, invokeResult) {\n if (err) {\n responseData = {Error: \"Invoke call failed\"}\n console.log(responseData.Error + \":\\n\", err)\n }\n else responseStatus = \"SUCCESS\"\n response.send(event, context, responseStatus, responseData)\n })\n}\n" }, "Description": "Invoke a function during stack creation.", "TracingConfig": { "Mode": "Active" } } } } } ```