iamlive Lambda Extension

The iamlive Lambda Extension helps generate a least-privilege IAM policy by monitoring the AWS calls made within the Lambda execution environment.


You must first install the Lambda Layer into your environment by installing it from the Serverless Application Repository, or by performing a sam build && sam deploy from the repository root.

Once installed, you should attach the iamlive Lambda Layer to the function you wish to monitor using the “Specify an ARN” option and set the following environment variables within the Lambda function:

Key Value
AWS_CA_BUNDLE /tmp/iamlive-ca.pem

It’s also strongly recommended you allocate at least an extra 512MB of memory to the Lambda function.


You may invoke your Lambda function as per your normal usage. When your invocation is complete, the results of the execution will be displayed at the start of your next execution or after the Lambda hasn’t been invoked after approximately 5 minutes (i.e. the Lambda runtime goes into SHUTDOWN).

It’s not recommended to continue to have the iamlive extension applied long-term or in a production environment due to the overheads involved.