AWS Certified Developer Associate (DVA-C02) > Domain 1: Development with AWS Services > Develop code for AWS Lambda > 1.2.5 Integrate Lambda with AWS Services

1.2.5 Integrate Lambda with AWS Services

Integrate Lambda with AWS Services

Permission Model

Lambda cần 2 loại permissions:

Type	Mô tả	Ví dụ
Execution Role (IAM Role)	Lambda cần permissions để GỌI AWS services	Lambda → DynamoDB PutItem
Resource-based Policy	Cho phép AWS services INVOKE Lambda	S3 → invoke Lambda

Execution Role

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:PutItem"
      ],
      "Resource": "arn:aws:dynamodb:*:*:table/Orders"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "*"
    }
  ]
}

Mỗi Lambda function có 1 execution role
Least privilege: chỉ cấp permissions cần thiết
AWSLambdaBasicExecutionRole — managed policy cho CloudWatch Logs

Resource-based Policy

{
  "Effect": "Allow",
  "Principal": {"Service": "s3.amazonaws.com"},
  "Action": "lambda:InvokeFunction",
  "Resource": "arn:aws:lambda:*:*:function:MyFunction",
  "Condition": {
    "ArnLike": {"AWS:SourceArn": "arn:aws:s3:::my-bucket"}
  }
}

Common Integration Patterns

Service	Pattern	Mô tả
API Gateway	Sync invoke	REST/HTTP API → Lambda
S3	Async invoke	Object events → Lambda
SQS	Event source mapping	Lambda polls SQS
DynamoDB Streams	Event source mapping	Lambda polls stream
Kinesis	Event source mapping	Lambda polls stream
SNS	Async invoke	Push notification → Lambda
EventBridge	Async invoke	Event rules → Lambda
Step Functions	Sync/Async	Orchestration workflow

Event Source Mapping

Lambda polls source (SQS, Kinesis, DynamoDB Streams)
Lambda service cần permissions để đọc từ source (trong execution role)
Batch size, batch window configurable

Exam Tip: Execution Role = Lambda gọi services khác. Resource-based Policy = services khác gọi Lambda. Event Source Mapping = Lambda polls (SQS, Kinesis, DynamoDB Streams).