我找到了(100%)正确的方法来做到这一点。虽然可以使用@John Rotenstein 的答案,但它不太正确,但应该仍然有效。
我发现当您单击切换按钮时,lambda 的策略实际上已更新:
Enabled:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "my-lambda-1552674933742",
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-west-2:1234567890:function:my-lambda",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:sns:us-west-2:1234567890:my-lambda"
}
}
}
]
}
禁用:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "my-lambda-1552674933742",
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": "lambda:DisableInvokeFunction",
"Resource": "arn:aws:lambda:us-west-2:1234567890:function:my-lambda",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:sns:us-west-2:1234567890:my-lambda"
}
}
}
]
}
Notice Action is lambda:InvokeFunction
vs. lambda:DisableInvokeFunction
.
我这样做的过程如下:
- Lambda.listFunctions
- 对于每个函数,Lambda.removePermission
- 对于每个函数,Lambda.addPermission
Notes:
- Lambda api 的默认安全限制为每个区域每个账户 100 个并发执行。
- 您只能在 AddPermission 和 AddLayerVersionPermission API 操作范围内更新 Lambda 资源的基于资源的策略。您无法以 JSON 格式为 Lambda 资源编写策略,也无法使用不映射到这些操作的参数的条件。请参阅此处的文档 https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html
此外,您还可以使用 Lambda.getPolicy 查看 lambda 的策略以确保其已更新。