From here
https://jun711.github.io/aws/attach-aws-lambda-layers-to-lambda-using-aws-sam-yaml-tutorial/
Key takeaways
Give your lambda permission to your layer to GetLayerVersion
Watch the layer version!
Also, Cloudformation needs permissions to deal with layers (second code block)
UserManagementFunction:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: python3.8
FunctionName: 'lambda-with-layer'
Description: 'lambda with layer'
CodeUri: ./
Policies:
- Statement:
- Effect: "Allow"
Action:
- 'lambda:GetLayerVersion'
Resource:
- 'arn:aws:lambda:*:1234567890:layer:*:*'
Layers:
- arn:aws:lambda:us-east-2:1234567890:layer:layer1:16
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:GetLayerVersion",
"lambda:DeleteLayerVersion",
"lambda:ListLayerVersions",
"lambda:ListLayers",
"lambda:AddLayerVersionPermission",
"lambda:RemoveLayerVersionPermission"
],
"Resource": "*"
}
]
}
So after some experimenting, from what I can tell a layer would not have any security by default
Also, my cloudformation policy already had “lambda:*” so it was able to create the layers as is.