I want to create a lambda that will exist in one central account and that will get invoked by other accounts within my Organization. I know it is possible to grant access for another individual account to invoke a lambda using a resource policy, but can I grant access to all accounts in my Organization using Organization Unit IDs somehow? If so, how?
Ideally I want to make it so as new accounts get added in my Organization they will automatically have access to invoke the lambda without requiring me to update the policy and grant them access via the individual account ID.
I found this can be done using a resource policy on the lambda function with a condition that specifies the aws:PrincipalOrgID, such as
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:098765432109:function:My_Example_Function",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "o-myorgidexample"
}
}
}
]
}