diff --git a/function/errors.go b/function/errors.go
index ace7d24..4d38aa8 100644
--- a/function/errors.go
+++ b/function/errors.go
@@ -40,6 +40,15 @@ func (e ErrFunctionCallFailed) Error() string {
 	return fmt.Sprintf("Function call failed. Error: %q", e.Original)
 }
 
+// ErrFunctionAccessDenied occurs when Event Gateway don't have access to call a function.
+type ErrFunctionAccessDenied struct {
+	Original error
+}
+
+func (e ErrFunctionAccessDenied) Error() string {
+	return fmt.Sprintf("Function access denied. Error: %q", e.Original)
+}
+
 // ErrFunctionProviderError occurs when function call failed because of provider error.
 type ErrFunctionProviderError struct {
 	Original error
diff --git a/function/function.go b/function/function.go
index 540ac7b..6ce3678 100644
--- a/function/function.go
+++ b/function/function.go
@@ -122,13 +122,18 @@ func (w WeightedFunctions) Choose() (ID, error) {
 	return chosenFunction, nil
 }
 
+// nolint: gocyclo
 func (f *Function) callAWSLambda(payload []byte) ([]byte, error) {
 	config := aws.NewConfig().WithRegion(f.Provider.Region)
 	if f.Provider.AWSAccessKeyID != "" && f.Provider.AWSSecretAccessKey != "" {
 		config = config.WithCredentials(credentials.NewStaticCredentials(f.Provider.AWSAccessKeyID, f.Provider.AWSSecretAccessKey, f.Provider.AWSSessionToken))
 	}
 
-	awslambda := lambda.New(session.New(config))
+	awsSession, err := session.NewSession(config)
+	if err != nil {
+		return nil, &ErrFunctionProviderError{err}
+	}
+	awslambda := lambda.New(awsSession)
 
 	invokeOutput, err := awslambda.Invoke(&lambda.InvokeInput{
 		FunctionName: &f.Provider.ARN,
@@ -137,6 +142,10 @@ func (f *Function) callAWSLambda(payload []byte) ([]byte, error) {
 	if err != nil {
 		if awserr, ok := err.(awserr.Error); ok {
 			switch awserr.Code() {
+			case "AccessDeniedException":
+			case "InvalidSignatureException":
+			case "UnrecognizedClientException":
+				return nil, &ErrFunctionAccessDenied{awserr}
 			case lambda.ErrCodeServiceException:
 				return nil, &ErrFunctionProviderError{awserr}
 			default:
diff --git a/router/router.go b/router/router.go
index 688dd10..779f9d6 100644
--- a/router/router.go
+++ b/router/router.go
@@ -226,9 +226,14 @@ func (router *Router) handleHTTPEvent(event *eventpkg.Event, w http.ResponseWrit
 		event.Data = httpdata
 		resp, err := router.callFunction(space, *backingFunction, *event)
 		if err != nil {
+			message := "function call failed"
+			if _, ok := err.(*function.ErrFunctionAccessDenied); ok {
+				message = "function access denied"
+			}
+
 			w.WriteHeader(http.StatusInternalServerError)
 			w.Header().Set("Content-Type", "application/json")
-			encoder.Encode(&httpapi.Response{Errors: []httpapi.Error{{Message: "function call failed"}}})
+			encoder.Encode(&httpapi.Response{Errors: []httpapi.Error{{Message: message}}})
 			return
 		}