IAM Role limit sts:AssumeRole to one AWS Lambda function

Question

I am concerned about security. The creation of IAM Roles is a high security risk, and the fact that you can only specify to be AWS Lambda the one that can assume a role is not good enough IMO. There could be a privilege escalation if not treated with care.

How can I create IAM Roles specific to some Lambda functions?

I haven't found anything similar, but I believe it may be possible.

This role would have also some policies attached:

{
  "Action": "sts:AssumeRole",
  "Principal": {
    "Service": "lambda.amazonaws.com"
  },
  "Effect": "Allow",
  "Sid": ""
}

Usually, in other roles you would use Principal clause to decide which accounts can assume the role.

{
 "Effect": "Allow",
 "Principal": {
   "AWS": "arn:aws:iam::123456789:root"
 },
 "Action": "sts:AssumeRole"
}

According to @Michael in the comments, I have to say which users can use pass role on which roles, therefore is the question, how can I decide which users exactly can pass this role?

If so, the answer to this question would be solved in two steps. Making this role only assumable by Lambda service (as it is already), and then have a policy with PassRole restrictions for each user.

Answer 1

I asked AWS support about this. They said they don't presently* support conditions in the assume_role/trust policy to limit which functions can assume the role by matching a function name pattern.

Instead, they suggested adding conditions to the execution policy (instead of the assume/trust policy):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "WhitelistSpecificLambdaFunction",
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "aws:userid": "AROAUISMSUAFHSJDJURKJ:TestLambda"
                }
            }
        }
    ]
}

-- This policy denies access to all Lambda functions except the specific Lambda function whose name is mentioned in "aws:userid" condition key. Other Lambda functions will be able to assume the role, but they will be denied from performing any action but if they are just printing or returning any variables/data the function would work.

--> NOTE: The condition key "aws:userid" specifies the unique ID for the current role and the corresponding value of this key has the following format: "role-id:role-session-name".

-- IAM role ID is "AROAUISMSUAFHSJDJURKJ" for the sample role I used.

-- In case of Lambda function the role-session-name is same as Lambda function name. In this example case it is "TestLambda", so aws:userid becomes "aws:userid": "AROAUISMSUAFHSJDJURKJ:TestLambda"

* They added my name to an existing request to add this feature