Allow all cloudwatch event rules to have access to lambda function

Question

I have been encountering a hard limit on lambda function policy when trying to provision access for a cloudwatch event rule to trigger the lambda function on a scheduled basis.

An error occurred (PolicyLengthExceededException) when calling the AddPermission operation: The final policy size (20670) is bigger than the limit (20480).

It works for a new lambda function, but eventually its policy will bloat and will hit a hard limit on the number on cloudwatch event rule that can access it.

Some said to re-create the function (delete/create), but this won't be an option in a production environment where cloudwatch events are already configured in it, resulting to the existing ones to lose access to the lambda function.

Using the aws cli, i was able to extract the policy of my lambda function, it loooks like this:

"Statement": [{
    "Sid": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "Effect": "Allow",
        "Principal": {
            "Service": "events.amazonaws.com"
        },
        "Action": "lambda:*",
        "Resource": "arn:aws:lambda:xxxxx:xxxxxxxxxxx:function:xxxxxxxxxxxxx",
        "Condition": {
            "ArnLike": {
                "AWS:SourceArn": "arn:aws:events:xxxxxxx:xxxxxx:rule/xxxxxxxxx"
            }
        }
}]

So i was looking onto something like for the AWS:SourceArn

arn:aws:events:xxxxxxx:xxxxxx:rule/*

To avoid hitting a hard limit, but i cannot seem to do it. Even in the lambda function itself on the console, you won't be able to create such a rule that will allow all cloudwatch event of a specified account to have access to the lambda function using a wildcard '*'.

Suggestions are much welcome. Thank you guys

Answer 1

This was accepted without an error:

$ aws lambda add-permission --function-name function_name\
    --action 'lambda:InvokeFunction' --principal events.amazonaws.com \
    --statement-id '1' \
    --source-arn arn:aws:events:ap-southeast-2:123456789012:rule/*

This will accept all CloudWatch Events rules.

You could instead name your rules such that the ones you want to allow can all have the same prefix in their name, eg:

--source-arn arn:aws:events:ap-southeast-2:123456789012:rule/Event-*

Answer 2

I used the above CLI command but got an error in the console, please find the attached screenshot of the errorenter image description here. Please find below function policy of lambda:

{   "Version": "2012-10-17",   "Id": "default",   "Statement": [
    {
      "Sid": "events-access",
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "lambda:InvokeFunction",
      "Resource": "arn:aws:lambda:us-east-1:096280016729:function:leto_debug_log",
      "Condition": {
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:events:us-east-1:096280016729:rule/*"
        }
      }   
    }   
  ] }