From here
https://jun711.github.io/aws/attach-aws-lambda-layers-to-lambda-using-aws-sam-yaml-tutorial/
Key takeaways
Give your lambda permission to your layer to GetLayerVersion
Watch the layer version!
Also, Cloudformation needs permissions to deal with layers (second code block)
UserManagementFunction: Type: AWS::Serverless::Function Properties: Handler: index.handler Runtime: python3.8 FunctionName: 'lambda-with-layer' Description: 'lambda with layer' CodeUri: ./ Policies: - Statement: - Effect: "Allow" Action: - 'lambda:GetLayerVersion' Resource: - 'arn:aws:lambda:*:1234567890:layer:*:*' Layers: - arn:aws:lambda:us-east-2:1234567890:layer:layer1:16
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "lambda:GetLayerVersion", "lambda:DeleteLayerVersion", "lambda:ListLayerVersions", "lambda:ListLayers", "lambda:AddLayerVersionPermission", "lambda:RemoveLayerVersionPermission" ], "Resource": "*" } ] }
So after some experimenting, from what I can tell a layer would not have any security by default
Also, my cloudformation policy already had “lambda:*” so it was able to create the layers as is.