How can this issue be addressed?
Update the Lambda function’s execution role to include the missing permissions.
Update the Lambda function’s resource policy to include the missing permissions.
Include an IAM policy document at the root of the deployment package and redeploy the Lambda function.
Redeploy the Lambda function using an account with access to the AdministratorAccess policy.
Explanations:
Updating the Lambda function’s execution role to include the missing permissions is necessary when the function requires access to other AWS services or resources that it currently lacks permission for. This role dictates what the Lambda function can do and what resources it can access. If the application fails due to permission issues, this is the most direct and effective solution.
The Lambda function’s resource policy governs which AWS services or principals can invoke the Lambda function, not the permissions that the function itself requires to access other resources. An access denied message typically indicates a lack of permissions in the execution role rather than issues with the resource policy.
Including an IAM policy document at the root of the deployment package does not affect the execution role of the Lambda function. IAM policies must be attached to roles, users, or groups, and cannot be included within the deployment package. This option would not resolve permission issues and would lead to further confusion.
Redeploying the Lambda function using an account with access to the AdministratorAccess policy may not address the specific permissions needed by the function itself. This approach does not ensure that the necessary permissions are configured correctly in the execution role for the Lambda function. It could lead to unnecessary permissions and potential security risks without addressing the specific access issue.