Permissions for @turbot/aws-lambda

Taking a look at permissions and associated grant levels for each permission for Lambda:

Permission	Grant Level	Help
iam:ListRoles	Metadata
iam:PassRole	Admin	To create a Lambda function the user must have permission to pass the role to it.
lambda:AddLayerVersionPermission	Admin	AddLayerVersionPermission is for resources utilizing the push model. This will be common and should be at Operator level. But it allows cross-account pushing to Lambda so needs associated guardrails.
lambda:AddPermission	Admin	AddPermission is for resources utilizing the push model. This will be common and should be at Operator level. But it allows cross-account pushing to Lambda so needs associated guardrails.
lambda:CreateAlias	Admin	Admin controls functions release of functions and aliases to functions.
lambda:CreateCodeSigningConfig	Admin
lambda:CreateEventSourceMapping	Operator	Operators can manage the triggers & use of functions.
lambda:CreateFunction	Admin	Admin controls functions release of functions and aliases to functions.
lambda:DeleteAlias	Admin	Admin controls functions release of functions and aliases to functions.
lambda:DeleteCodeSigningConfig	Admin
lambda:DeleteEventSourceMapping	Operator	Operators can manage the triggers & use of functions.
lambda:DeleteFunction	Admin	Admin controls functions release of functions and aliases to functions.
lambda:DeleteFunction	Admin	Admin controls functions release of functions and aliases to functions.
lambda:DeleteFunctionCodeSigningConfig	Admin
lambda:DeleteFunctionConcurrency	Admin	Admin can manage concurrent execution limit.
lambda:DeleteFunctionEventInvokeConfig	Admin
lambda:DeleteLayerVersion	Admin
lambda:DeleteProvisionedConcurrencyConfig	Admin
lambda:DisableReplication	Admin
lambda:EnableReplication	Admin	Admins can Add a permission to resource policy that gives Lambda replication service permission to get function code and configuration.
lambda:GetAccountSettings	Metadata
lambda:GetAlias	Metadata
lambda:GetCodeSigningConfig	Metadata
lambda:GetFunctionCodeSigningConfig	Metadata
lambda:GetEventSourceMapping	Metadata
lambda:GetFunctionCodeSigningConfig	Metadata
lambda:GetFunction	ReadOnly	Lambda function code is considered data and requires privileges to view.
lambda:GetFunctionConcurrency	Metadata
lambda:GetFunctionConfiguration	Metadata
lambda:GetFunctionEventInvokeConfig	Metadata
lambda:GetLayerVersion	ReadOnly
lambda:GetLayerVersionByArn	Metadata
lambda:GetLayerVersionPolicy	Metadata
lambda:GetPolicy	Metadata
lambda:GetProvisionedConcurrencyConfig	Metadata
lambda:InvokeAsync	Operator	NOTE - Deprecated use Invoke instead.
lambda:InvokeFunction	Operator	Operators can invoke/run functions.
lambda:ListAliases	Metadata
lambda:ListCodeSigningConfigs	Metadata
lambda:ListEventSourceMappings	Metadata
lambda:ListFunctionsByCodeSigningConfig	Metadata
lambda:ListFunctionEventInvokeConfigs	Metadata
lambda:ListFunctions	Metadata	Does not include function code only the configuration information.
lambda:ListLayerVersions	Metadata
lambda:ListLayers	Metadata
lambda:ListProvisionedConcurrencyConfigs	Metadata
lambda:ListTags	Metadata
lambda:ListVersionsByFunction	Metadata
lambda:PublishLayerVersion	Admin	Admins can create a function layer from a ZIP archive. Each time you call PublishLayerVersion with the same version name a new version is created.
lambda:PublishVersion	Admin	Admin controls functions release of functions and aliases to functions.
lambda:PutFunctionConcurrency	Admin	Admin can manage concurrent execution limit.
lambda:PutFunctionEventInvokeConfig	Admin
lambda:PutFunctionCodeSigningConfig	Admin
lambda:PutProvisionedConcurrencyConfig	Admin
lambda:RemoveLayerVersionPermission	Admin
lambda:RemovePermission	Operator	Allows removal of permissions from push resources. This can be safely granted to Operator since it doesn't allow extra permissions.
lambda:TagResource	Operator	Operators can manage tags.
lambda:UntagResource	Operator	Operators can manage tags.
lambda:UpdateAlias	Operator	"Operators can deploy released versions. (But can't control releases or edit functions.)"
lambda:UpdateCodeSigningConfig	Admin
lambda:UpdateEventSourceMapping	Operator	Operators can manage the triggers & use of functions.
lambda:UpdateFunctionCode	Admin	Admin controls functions release of functions and aliases to functions.
lambda:UpdateFunctionCodeSigningConfig	Admin
lambda:UpdateFunctionConfiguration	Admin	Admin controls functions release of functions and aliases to functions.
lambda:UpdateFunctionEventInvokeConfig	Admin
s3:GetObject	Operator