Do policies need to be defined on both sides of a relationship?
For example, suppose I have a Lambda with a policy that allows every principal on the account to invoke it. If I create an API Gateway that needs to invoke that Lambda, do I need to create a policy that gives the API GW explicit permission to do it? Or the Lambda's policy inherently allows the API Gateway to invoke it?
Thanks
Generally speaking, yes, permissions are required on both ends.
However, in this scenario, only the lambda's policy (which is a "resource based policy") is needed for the API gateway to be able to invoke the lambda.
From the documentation:
Amazon API Gateway gets permission to invoke your function from the function's resource-based policy. You can grant invoke permission to an entire API, or grant limited access to a stage, resource, or method.