Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

About AWS Lambda

The AWS Lambda connector collects function configuration, layers, event source mappings, concurrency settings, and related metadata across Regions without invoking functions or downloading deployment packages. Iru uses sts:AssumeRole into a role you create, gated by an external ID from the wizard.

How it works

Create an IAM role that trusts Iru’s principal and attach AWSLambda_ReadOnlyAccess, or use the tighter inline policy below if your security team prefers least privilege.
DetailValue
CategoryCompute / serverless
AuthenticationCross-account IAM role
References: AWSLambda_ReadOnlyAccess, Lambda security.

Prerequisites

  • IAM permission to create roles and attach policies.
  • Principal and external ID values copied from your live connector (samples like account 753695775620 may differ per tenant).

Connect AWS Lambda to Iru

Copy the trust policy from Iru

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on AWS Lambda

Find AWS Lambda (use Category or Search by name or description). On that card, turn on the toggle. Keep the wizard tab open.
3

Copy the trust policy JSON

Copy the trust policy from Iru. Use the shape below with the live principal and external ID Iru shows:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create the IAM role in AWS

1

Start Create role

Open IAMRolesCreate role.
2

Configure trusted entity

Choose AWS accountAnother AWS account. Enter 753695775620 unless the wizard differs. Enable Require external ID and paste the external ID from Iru.
3

Attach Lambda read permissions

Attach AWSLambda_ReadOnlyAccess, or attach this inline policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lambda:Get*",
        "lambda:List*"
      ],
      "Resource": "*"
    }
  ]
}
The managed policy covers actions such as GetFunction, ListFunctions, GetFunctionConfiguration, layers, aliases, and mappings; the inline variant relies on Get* / List* wildcards.
4

Name the role and copy the ARN

Name the role (for example IruLambdaReadOnly), create it, and copy its ARN.
5

Verify the trust relationship

Confirm Trust relationships matches Iru.

Submit the role ARN in Iru

1

Paste the IAM Role ARN

Paste the Role ARN into the connector where the wizard prompts for it.
2

Confirm the source is Active

Submit until AWS Lambda shows Active. Regional sync begins after activation.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
External ID or principal mismatch - re-copy from Iru.
Confirm functions exist in enabled Regions and the role targets the right account.
Read-only APIs may not expose ciphertext details - metadata still evidences configuration presence.

Considerations

Lambda is Regional; first scans walk every enabled…

Lambda is Regional; first scans walk every enabled Region.

Iru does not invoke functions or extract ZIP…

Iru does not invoke functions or extract ZIP artifacts - configuration evidence only.

See also