diff --git a/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts b/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts
index 3ef0b348ad768..3dab9518ed3df 100644
--- a/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts
+++ b/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts
@@ -167,11 +167,6 @@ export interface OpenIdConnectConfig {
 export interface LambdaAuthorizerConfig {
   /**
    * The authorizer lambda function.
-   * Note: This Lambda function must have the following resource-based policy assigned to it.
-   * When configuring Lambda authorizers in the console, this is done for you.
-   * To do so with the AWS CLI, run the following:
-   *
-   * `aws lambda add-permission --function-name "arn:aws:lambda:us-east-2:111122223333:function:my-function" --statement-id "appsync" --principal appsync.amazonaws.com --action lambda:InvokeFunction`
    *
    * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-appsync-graphqlapi-lambdaauthorizerconfig.html
    */
@@ -519,6 +514,17 @@ export class GraphqlApi extends GraphqlApiBase {
       this.apiKeyResource.addDependsOn(this.schemaResource);
       this.apiKey = this.apiKeyResource.attrApiKey;
     }
+
+    if (modes.some((mode) => mode.authorizationType === AuthorizationType.LAMBDA)) {
+      const config = modes.find((mode: AuthorizationMode) => {
+        return mode.authorizationType === AuthorizationType.LAMBDA && mode.lambdaAuthorizerConfig;
+      })?.lambdaAuthorizerConfig;
+      config?.handler.addPermission('appsync', {
+        principal: new ServicePrincipal('appsync.amazonaws.com'),
+        action: 'lambda:InvokeFunction',
+      });
+    }
+
   }
 
   /**
diff --git a/packages/@aws-cdk/aws-appsync/test/appsync-auth.test.ts b/packages/@aws-cdk/aws-appsync/test/appsync-auth.test.ts
index e21bcf3da62c0..4574e365b5151 100644
--- a/packages/@aws-cdk/aws-appsync/test/appsync-auth.test.ts
+++ b/packages/@aws-cdk/aws-appsync/test/appsync-auth.test.ts
@@ -669,6 +669,18 @@ describe('AppSync Lambda Authorization', () => {
         },
       },
     });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'authfunction96361832',
+          'Arn',
+        ],
+      },
+    });
+
+
   });
 
   test('Lambda authorization configurable in default authorization', () => {
@@ -702,6 +714,15 @@ describe('AppSync Lambda Authorization', () => {
         IdentityValidationExpression: 'custom-.*',
       },
     });
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'authfunction96361832',
+          'Arn',
+        ],
+      },
+    });
   });
 
   test('Lambda authorization configurable in additional authorization has default configuration', () => {
@@ -733,6 +754,15 @@ describe('AppSync Lambda Authorization', () => {
         },
       }],
     });
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'authfunction96361832',
+          'Arn',
+        ],
+      },
+    });
   });
 
   test('Lambda authorization configurable in additional authorization', () => {
@@ -768,6 +798,15 @@ describe('AppSync Lambda Authorization', () => {
         },
       }],
     });
+    Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
+      Action: 'lambda:InvokeFunction',
+      FunctionName: {
+        'Fn::GetAtt': [
+          'authfunction96361832',
+          'Arn',
+        ],
+      },
+    });
   });
 
   test('Lambda authorization throws with multiple lambda authorization', () => {