Skip to main content

About AWS Lambda

The AWS Lambda connector collects function configuration, layers, event source mappings, concurrency settings, and related metadata across Regions without invoking functions or downloading deployment packages. Iru uses sts:AssumeRole into a role you create, gated by an external ID from the wizard.

How It Works

Iru runs in its own AWS account. To read Lambda configuration in your account, you create an IAM role that trusts Iru’s principal (sts:AssumeRole + wizard External ID) with read-only lambda: permissions. Paste the role’s ARN back into Iru. Create an IAM role that trusts Iru’s principal and attach AWSLambda_ReadOnlyAccess, or use the tighter inline policy below if your security team prefers least privilege.
DetailValue
CategoryCompute / serverless
AuthenticationCross-account IAM role
References: AWSLambda_ReadOnlyAccess, Lambda security.

Prerequisites

  • IAM permission to create roles and attach policies.
  • Principal and external ID values copied from your live connector (samples like account 753695775620 may differ per tenant).

Connect AWS Lambda to Iru

Start here: open the source wizard and copy the trust policy (and note the external ID). When you are ready to create the role in AWS, switch to the AWS tab and follow Create the IAM role in AWS. After you have the Role ARN, return to the Iru Compliance tab and complete Submit the role ARN in Iru below.

Get the trust policy from Iru

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on AWS Lambda

Find AWS Lambda (use Category or Search by name or description). On that card, turn on the toggle. Keep the wizard tab open.
3

Copy the trust policy JSON

The wizard shows the trust policy JSON your IAM role must use (Principal and sts:ExternalId). Below is an example of the structure; copy the live JSON from your wizard so the account, principal ARN, and external ID match exactly.
copy=false
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
4

Switch to AWS to create the role

Keep the Iru wizard tab open for reference, then switch to the AWS tab and follow Create the IAM role in AWS.

Submit the role ARN in Iru

Finish the AWS tab first (through Create the IAM role in AWS) so you have the Role ARN from the new role.
1

Paste the IAM Role ARN

Return to the Iru wizard tab. Paste the Role ARN where the connector prompts for it.
2

Finish the connection

Click Submit Role. When the connection succeeds, the wizard shows Connection Configured.
3

Confirm the source is Active

Close the Iru is requesting access to external services browser tab, then return to ComplianceSources and confirm the AWS Lambda card is Active.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
External ID or principal mismatch - re-copy from Iru.
Confirm functions exist in enabled Regions and the role targets the right account.
Read-only APIs may not expose ciphertext details - metadata still evidences configuration presence.

Considerations

Lambda is Regional; first scans walk every enabled…

Lambda is Regional; first scans walk every enabled Region.

Iru does not invoke functions or extract ZIP…

Iru does not invoke functions or extract ZIP artifacts - configuration evidence only.

Sources Management

Browse and manage every Compliance source.

Getting Started With Compliance

Frameworks, actions, and Artifacts.

Iru Overview

How Endpoint, Compliance, and Identity fit together.

Artifacts Management

Upload, review, and organize evidence from sources and actions.