Lambda Prerequisites
Before you can begin to use Lambda to create custom rules, you need to update the IAM role that grants Skyhigh CASB permissions, and you'll need to update permissions to allow a trust relationship so Skyhigh CASB can assume a role in your S3 buckets.
Update IAM Role
Copy and paste the following JSON to update the IAM role:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1510661968000", "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:InvokeFunction", "lambda:ListFunctions", "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "iam:PassRole" ], "Resource": [ "*" ] } ] }
Edit Trust Relationship
Invoking functions in Lambda and uploading scripts requires additional permissions to be assigned to the Skyhigh CASB role in IAM.
- Navigate to IAM and create a new policy called SHN_Lambda.
- Copy and paste the following JSON to edit the trust relationship.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::522462218264:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "997131" } } } ] }