in source/backend/lib/cdk-photosearch-backend-stack.ts [39:81]
makeLambdaRole(idPrefix: string) {
// Setup the IAM Role for Lambda Service
const lambdaRole = new iam.Role(this, `PhotoSearchLambdaRole${idPrefix}`, {
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
});
// all lambda needs to create log and vpc.
lambdaRole.addToPolicy(
new iam.PolicyStatement({
actions: ['logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'],
resources: [`arn:aws:logs:${cdk.Aws.REGION}:${cdk.Aws.ACCOUNT_ID}:log-group:*`],
})
);
lambdaRole.addToPolicy(
new iam.PolicyStatement({
actions: [
'ec2:CreateNetworkInterface',
'ec2:DeleteNetworkInterface',
'ec2:AssignPrivateIpAddresses',
'ec2:UnassignPrivateIpAddresses',
'ec2:DescribeNetworkInterfaces',
],
resources: ['*'],
})
);
// Find the X-Ray IAM Policy
const cfnLambdafunctionDefPolicy = lambdaRole.node
.tryFindChild('DefaultPolicy')
?.node.findChild('Resource') as iam.CfnPolicy;
// Add the CFN NAG suppress to allow for "Resource": "*" for AWS X-Ray
cfnLambdafunctionDefPolicy.cfnOptions.metadata = {
cfn_nag: {
rules_to_suppress: [
{
id: 'W12',
reason:
'Lambda needs the following minimum required permissions to send trace data to X-Ray, access ENIs in a VPC and Rekognition#DetectFace.',
},
],
},
};
return lambdaRole;
}