hands-on lab

Review and Secure a Lambda Function with an IAM Least Privilege Based Security Policy

Up to 2h 30m
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.


In this lab scenario, you take on the role of a cloud security engineer, working for a business that has implemented a particular business process in AWS using AWS Lambda. Version one (MVP) of the implementation has proven very successful with customers (in this lab - you actually deploy and set up the Lambda function). Due to the immediate success and demand of the serverless workflow, the company has now decided to review the IAM security policies involved in its operation and uptime of it. It is expected that current IAM permissions may be too broad and too permissive.

As a cloud security engineer, it is your responsibility to perform the review and update existing IAM security permissions assigned to the Lambda function's execution role. Your task is to review the current IAM policies and refine them such that they adhere to the rule of least privilege. To understand exactly what the Lambda function does, and in particular, the specific set of AWS API operations it integrates with, you will set up CloudTrail together with Athena. Additionally, this new setup will support another business requirement - being able to audit all AWS API calls made by the Lambda function for auditing and compliance reasons.

Learning Objectives

Upon completion of this lab, you will be able to:

  • Configure CloudTrail and Athena together to help you analyze AWS API operations being made within an AWS Account

Intended Audience

  • Those interested in learning how to increase their IAM security posture by analyzing existing AWS API calls


Familiarity with the following will be beneficial but is not required:

  • Be comfortable with the AWS console
  • Be comfortable with basic Linux command line administration

Lab Environment

This lab will start with the following AWS resources provisioned automatically for you:

  • 1 x EC2 instance
    • ops.cloudacademy.platform.instance - used to provide access to a Linux terminal
  • 2 x S3 buckets
    • Business Data S3 bucket - used to store business data files generated by the Lambda function
    • Athena Query Results S3 bucket - used to store the results of executing Athena queries

To achieve the lab end state, you will be walked through the process of:

  • Setting up a new CloudTrail trail
  • Configuring Athena with access to the CloudTrail trail log files stored in S3
  • Deploying and configuring a new Python 3-based Lambda function that writes files out to the Business Data S3 bucket
  • Use Athena to query the CloudTrail data
  • Build a local file containing all current IAM Policy Actions
  • Updating an IAM policy assigned to a Lambda function's execution role

Environment before

Environment after

About the author

Jeremy Cook, opens in a new tab
Solutions Architect Director
Learning paths

Jeremy is a Content Lead Architect and DevOps SME here at Cloud Academy where he specializes in developing DevOps technical training documentation.

He has a strong background in software engineering, and has been coding with various languages, frameworks, and systems for the past 25+ years. In recent times, Jeremy has been focused on DevOps, Cloud (AWS, Azure, GCP), Security, Kubernetes, and Machine Learning.

Jeremy holds professional certifications for AWS, Azure, GCP, Terraform, Kubernetes (CKA, CKAD, CKS), GitHub.

Covered topics

Lab steps

Logging In to the Amazon Web Services Console
Create CloudTrail Trail
Create Lambda Function
Use Athena to Query CloudTrail Events
Review Full IAM Actions List
Review and Update Lambda Execution Role Policy