X
Lab complete!
Now that you have completed this lab, make sure to update your Well-Architected review if you have implemented these changes in your workload.
Click here to access the Well-Architected Tool
Create an IAM policy and role for Lambda function
This step is used to create an IAM policy and a role that allows Lambda function to perform Athena CUR query and deliver processed CUR report via SES.
Log into IAM console, click on Policies and click on Create Policy:
Click on the JSON tab, modify the following policy, replacing the your-cur-query-results-bucket string. Make sure you add “*” at the end of the bucket name so the whole bucket is writable:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::your-cur-query-results-bucket*" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "athena:List*", "athena:*QueryExecution", "athena:Get*", "athena:BatchGet*", "glue:Get*", "glue:BatchGet*", "s3:Get*", "s3:List*", "SES:SendRawEmail", "SES:SendEmail", "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": "*" } ] }Copy the policy to JSON edit frame, ensure the bucket name has been changed, click Review policy:
Configure the name Lambda_Auto_CUR_Delivery_Access, and click Create policy.
Click on Roles, click Create Role:
Choose Lambda as the service that will use this role, click Next Permissions:
At Attach permissions policies page, search and choose Lambda_Auto_CUR_Delivery_Access policy created in the previous step. Click Next:Tags, click Next:Review.
At Review page, configure a name Lambda_Auto_CUR_Delivery_Role, click Create role. This role will be used for lambda function execution.
