We thought our cross-account Lambda setup was secure, but a single misconfigured IAM role put our entire infrastructure at risk. This is the story of how we discovered the 'Confused Deputy' problem and what we did to fix it.
Introduction to the Confused Deputy Problem
The 'Confused Deputy' problem is a security risk that arises when a service or application is granted excessive permissions, allowing it to perform actions on behalf of another entity without proper authorization. This issue can be particularly problematic in AWS, where IAM roles and policies are used to manage access to resources.
import { CreateRoleCommand, CreatePolicyCommand } from '@aws-sdk/client-iam';
const createRoleCommand = new CreateRoleCommand({
RoleName: 'cross-account-lambda-role',
AssumeRolePolicyDocument: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Principal: {
Service: 'lambda.amazonaws.com',
},
Action: 'sts:AssumeRole',
},
],
},
});
const createPolicyCommand = new CreatePolicyCommand({
PolicyName: 'cross-account-lambda-policy',
PolicyDocument: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: 's3:GetObject',
Resource: 'arn:aws:s3:::example-bucket/*',
},
],
},
});
The 'Confused Deputy' problem can have devastating consequences if left unchecked. Make sure to regularly review and update your IAM roles and policies to prevent this issue.
How the Confused Deputy Problem Arises in Cross-Account Lambda
The 'Confused Deputy' problem can arise in cross-account Lambda functions when an IAM role is misconfigured, granting the Lambda function excessive permissions. This can happen when the IAM role is created with a policy that allows access to resources in another account, without proper restrictions.
import { PutRolePolicyCommand } from '@aws-sdk/client-iam';
const putRolePolicyCommand = new PutRolePolicyCommand({
RoleName: 'cross-account-lambda-role',
PolicyName: 'cross-account-lambda-policy',
PolicyDocument: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: 's3:GetObject',
Resource: '*',
},
],
},
});
Be careful when using the
*wildcard in IAM policies, as it can grant access to all resources in an account. Instead, use specific ARNs to restrict access to only the necessary resources.
When we ran our cross-account Lambda function, we encountered the following error:
User: arn:aws:iam::123456789012:role/cross-account-lambda-role is not authorized to perform: s3:GetObject on resource: arn:aws:s3:::example-bucket/object.txt
This error led us to investigate the IAM role and policy, where we discovered the misconfiguration that was causing the 'Confused Deputy' problem.
Diagnosing and Fixing the Issue
To diagnose the 'Confused Deputy' problem, we need to review the IAM roles and policies associated with the Lambda function. We can use the AWS CLI to list the policies attached to the role and inspect their contents.
import { ListAttachedRolePoliciesCommand } from '@aws-sdk/client-iam';
const listAttachedRolePoliciesCommand = new ListAttachedRolePoliciesCommand({
RoleName: 'cross-account-lambda-role',
});
const response = await listAttachedRolePoliciesCommand.send();
console.log(response);
Output:
{
AttachedPolicies: [
{
PolicyArn: 'arn:aws:iam::123456789012:policy/cross-account-lambda-policy',
PolicyName: 'cross-account-lambda-policy',
},
],
}
When diagnosing IAM issues, it's essential to understand the policy evaluation order. Explicit deny always wins, so make sure to review the policies carefully to avoid unintended permissions.
To fix the issue, we updated the IAM policy to restrict access to only the necessary resources.
const updatedPolicyDocument = {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: 's3:GetObject',
Resource: 'arn:aws:s3:::example-bucket/object.txt',
},
],
};
Best Practices for Securing Cross-Account Lambda Functions
To prevent the 'Confused Deputy' problem in cross-account Lambda functions, follow these best practices:
import { CreateRoleCommand } from '@aws-sdk/client-iam';
const createRoleCommand = new CreateRoleCommand({
RoleName: 'cross-account-lambda-role',
AssumeRolePolicyDocument: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Principal: {
Service: 'lambda.amazonaws.com',
},
Action: 'sts:AssumeRole',
Condition: {
StringLike: {
'aws:sourceArn': 'arn:aws:lambda:123456789012:function:cross-account-lambda',
},
},
},
],
},
});
Use specific ARNs and conditions to restrict access to only the necessary resources. This will help prevent the 'Confused Deputy' problem and reduce the risk of unauthorized access.
Common Pitfalls and Gotchas
When working with IAM roles and policies, there are several common pitfalls to watch out for.
import { AssumeRoleCommand } from '@aws-sdk/client-iam';
const assumeRoleCommand = new AssumeRoleCommand({
RoleArn: 'arn:aws:iam::123456789012:role/cross-account-lambda-role',
RoleSessionName: 'cross-account-lambda-session',
});
const response = await assumeRoleCommand.send();
console.log(response);
Output:
{
AssumedRoleUser: {
AssumedRoleId: 'AROA123456789012:cross-account-lambda-session',
Arn: 'arn:aws:sts::123456789012:assumed-role/cross-account-lambda-role/cross-account-lambda-session',
},
Credentials: {
AccessKeyId: 'AKIAIOSFODNN7EXAMPLE',
SecretAccessKey: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
SessionToken: 'FQoGZXIvYXdzEAkaDJDH4h4zQ9q6Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Zf9Z
---
> **Transparency notice**
>
> This article was generated by using AI system using [Groq](https://groq.com) Model - (LLaMA 3.3 70B).
> The topic was scouted from live AWS and Node.js ecosystem signals, and the content —
> including all code examples — was written autonomously without human editing.
>
> **Published:** 2026-05-27 · **Primary focus:** IAM
>
> All code blocks are intended to be correct and runnable, but please verify them
> against the official [AWS SDK v3 docs](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/)
> before using in production.
>
> *Find an error? Drop a comment — corrections are always welcome.*
Top comments (0)