Intrinsic for Lambda

We currently have two separate products, Intrinsic for Node.js and Intrinsic for Lambda. Both of these products bring the same protections to your Node.js-based applications, using the same policy syntax. However, bootstrapping Intrinsic differs slightly. Since Intrinsic for Lambda is largely a simplified subset of functionality we're dedicating this page for documenting its differences.

Here's an example Intrinsic for Lambda handler file. This file will be in charge of initializing Intrinsic, configuring policies, and eventually requiring the “real” handler file—in this case named handler.js. We're assuming the exported handler function will be named myfunc, which of course can be renamed to whatever your application normally uses.

const IntrinsicLambda = require('@intrinsic/lambda');

module.exports = new IntrinsicLambda()
  // .enableMonitorMode() // This line enables monitor mode
  .configurePolicies(policy => {
    // Configure policies by using the `policy` object

This is where Intrinsic for Lambda differs from Intrinsic for Node.js. Instead of having a separate file for configuring policies, they are configured within the same bootstrap file. Intrinsic for Lambda protects your application by using a single sandbox, having a single set of policies, applied globally to your entire Lambda application.

Within the .configurePolicies() method, all of the method calls need to be performed synchronously. For example, you cannot wait for policy-related information to download and then apply the policies once the download is complete. If you do need to perform asynchronous work then do so ahead of time.

Another important note is that you must let your application code be loaded by Intrinsic for Lambda (by setting the correct handler file and calling run()), instead of you manually calling require() from the policy file. Intrinsic needs to load your handler itself to ensure that all application code (and any other code your application code ends up require-ing) is subject to policy enforcement.


Installing Intrinsic for Lambda is the same as with Intrinsic for Node.js. The only difference is that the filename is a little different.

The file name is formatted as intrinsic-lambda-X.Y.Z.tgz, where X.Y.Z is a Semver release number. Within the project.json's dependencies, a path to the tarball prefixed with file: is used instead of the normal Semver version. As an example, a very minimal project whose only dependency is Intrinsic might have a package.json file which looks like the following:

  "dependencies": {
    "@intrinsic/lambda": "file:./path/to/intrinsic-lambda-1.0.0.tgz"

First Steps

To enable Intrinsic on your Lambda function, you first create a simple wrapper file that specifies policies, along with the handler that should be protected.

Suppose your Lambda handler is handler.myfunc (that is, an exported function named myfunc within a file called handler.js), and you wish to apply policies to it. We would make use of the same intrinsic.js file described above.

Then reconfigure AWS Lambda to call the Intrinsic handler rather than your existing handler. This can be done through the AWS Console, or through the aws command line interface:

aws lambda update-function-configuration \
  --function-name MyFunctionName \
  --handler intrinsic.myfunc

For a more in-depth guide to setting up a new Lambda function and protecting it with Intrinsic policies, check out our hello world tutorial.