Posted On: Nov 26, 2024
Amazon Lambda now supports the aws:PrincipalOrgID condition key in Lambda function resource-based policies. Customers can use resource-based policies for Lambda functions including specific version or alias to grant usage permissions for other Amazon Web Services accounts or services. The aws:PrincipalOrgID condition key is designed to control access to Amazon Web Services resources by using the Amazon Web Services organization of IAM (Identity and Access Management) principals. You can now use this condition key in the function resource-based policies to require all principals accessing Lambda functions to be from an account in the organization. Additionally, when you add and remove accounts, policies that include the aws:PrincipalOrgID key should automatically include the correct accounts and help minimize manual updating.
The aws:PrincipalOrgID key provides an alternative to listing all the account IDs for all Amazon Web Services accounts in an organization. Previously, to restrict access for Lambda functions to only principals from Amazon Web Services accounts inside of your organization, users had to individually add each Amazon Web Services account ID to the resource-based policy. Now, you can specify the organization ID in the condition element of the Lambda’s resource-based policy.
You can start using this feature via Amazon Web Services Console, CLI or CloudFormation by passing your organization ID when adding permissions for a Lambda function including specific version or alias. Lambda will help generate the resource-based policy with the condition key aws:PrincipalOrgID using the value as your organization ID provided in the request.
Support for PrincipalOrgID in resource-based policies is now available in Amazon Web Services China (Beijing) Region, operated by Sinnet and Amazon Web Services China (Ningxia) Region, operated by NWCD. For more information on availability, see the Amazon Web Services Region table.