This is the second part in a series of articles that describe using Using AWS KMS to Encrypt Values in CloudFormation Stacks.

Every Lambda function must execute under the security context of an IAM role. This role gives the Lambda function the permissions it needs in order to properly do its job. In this case, the Lambda function only needs the most basic permissions that Lambda functions typically need (I’m ignoring the permissions required for KMS, which will be covered separately), and AWS provides a managed policy that allows us to set this up very easily.

Set Role Name

In the AWS console, go to the IAM console and then choose “Roles” from the navigation on the left of the page. Select “Create New Role” at the top.

Create role screenshot

Give the role a name of “lambda-kms-for-cloud-formation” (or any name that makes sense).

Select Role Type

On the next screen, select “AWS Lambda” from the “AWS Service Roles” section.

Add service role screenshot

Attach Policy

Finally, attach the AWS Managed Policy called “AWSLambdaBasicExecutionRole”. This policy grants permissions to do things like write to S3 and CloudWatch logs.

Attach policy screenshot


Review the information on the final screen and create the role.

That’s it for this part! In subsequent steps I’ll use this role by assigning it additional permissions from the KMS console as well as attaching it to our Lambda function. In fact, let’s get started on that latter item. Right. Now.