I recommend we find a way to run the state machine without requiring to have this permission enabled. There is an inherent risk of bringing down production systems if the user or role giving access to this state machine are compromised and it can be deterrent factor to get a clearance to use this great app from security teams. That being said, the risk associated with CRUD permissions on the function aliases are acceptable and could be leveraged as a workaround. I'd love to see if this change can be incorporated.

Hi @akokare 👋 thanks for reaching out and for raising a valid concern 🙏

Let me share some context and the existing way to mitigate this risk.

The lambda:DeleteFunction permission is only used to delete Lambda versions (not functions). But, as you said, it could become a problem in case of compromised functions or state machines (even if it's very unlikely).

That is why you can easily configure Lambda Power Tuning with lambdaResource (at deploy time), so that the target resource of all the lambda:* actions only includes that specific function (or pattern).

In addition to that, I would highly recommend deploying and using Lambda Power Tuning in dev/stage accounts, where there is no risk to bring down production workloads, while you still get the benefits of power-tuning your functions in a real AWS environment and with real resources.

Does that address your concerns?

@akokare is this blocking you from using the tool in your organization?

Did you look into lambdaResource as a way to mitigate risks even further?

I'm closing this for now, feel free to reopen and/or add new comments, if needed.