-
-
Save ServerlessBot/7618156b8671840a539f405dea2704c8 to your computer and use it in GitHub Desktop.
{ | |
"Statement": [ | |
{ | |
"Action": [ | |
"apigateway:*", | |
"cloudformation:CancelUpdateStack", | |
"cloudformation:ContinueUpdateRollback", | |
"cloudformation:CreateChangeSet", | |
"cloudformation:CreateStack", | |
"cloudformation:CreateUploadBucket", | |
"cloudformation:DeleteStack", | |
"cloudformation:Describe*", | |
"cloudformation:EstimateTemplateCost", | |
"cloudformation:ExecuteChangeSet", | |
"cloudformation:Get*", | |
"cloudformation:List*", | |
"cloudformation:UpdateStack", | |
"cloudformation:UpdateTerminationProtection", | |
"cloudformation:ValidateTemplate", | |
"dynamodb:CreateTable", | |
"dynamodb:DeleteTable", | |
"dynamodb:DescribeTable", | |
"dynamodb:DescribeTimeToLive", | |
"dynamodb:UpdateTimeToLive", | |
"ec2:AttachInternetGateway", | |
"ec2:AuthorizeSecurityGroupIngress", | |
"ec2:CreateInternetGateway", | |
"ec2:CreateNetworkAcl", | |
"ec2:CreateNetworkAclEntry", | |
"ec2:CreateRouteTable", | |
"ec2:CreateSecurityGroup", | |
"ec2:CreateSubnet", | |
"ec2:CreateTags", | |
"ec2:CreateVpc", | |
"ec2:DeleteInternetGateway", | |
"ec2:DeleteNetworkAcl", | |
"ec2:DeleteNetworkAclEntry", | |
"ec2:DeleteRouteTable", | |
"ec2:DeleteSecurityGroup", | |
"ec2:DeleteSubnet", | |
"ec2:DeleteVpc", | |
"ec2:Describe*", | |
"ec2:DetachInternetGateway", | |
"ec2:ModifyVpcAttribute", | |
"events:DeleteRule", | |
"events:DescribeRule", | |
"events:ListRuleNamesByTarget", | |
"events:ListRules", | |
"events:ListTargetsByRule", | |
"events:PutRule", | |
"events:PutTargets", | |
"events:RemoveTargets", | |
"iam:AttachRolePolicy", | |
"iam:CreateRole", | |
"iam:DeleteRole", | |
"iam:DeleteRolePolicy", | |
"iam:DetachRolePolicy", | |
"iam:GetRole", | |
"iam:PassRole", | |
"iam:PutRolePolicy", | |
"iot:CreateTopicRule", | |
"iot:DeleteTopicRule", | |
"iot:DisableTopicRule", | |
"iot:EnableTopicRule", | |
"iot:ReplaceTopicRule", | |
"kinesis:CreateStream", | |
"kinesis:DeleteStream", | |
"kinesis:DescribeStream", | |
"lambda:*", | |
"logs:CreateLogGroup", | |
"logs:DeleteLogGroup", | |
"logs:DescribeLogGroups", | |
"logs:DescribeLogStreams", | |
"logs:FilterLogEvents", | |
"logs:GetLogEvents", | |
"logs:PutSubscriptionFilter", | |
"s3:CreateBucket", | |
"s3:DeleteBucket", | |
"s3:DeleteBucketPolicy", | |
"s3:DeleteObject", | |
"s3:DeleteObjectVersion", | |
"s3:GetObject", | |
"s3:GetObjectVersion", | |
"s3:ListAllMyBuckets", | |
"s3:ListBucket", | |
"s3:PutBucketNotification", | |
"s3:PutBucketPolicy", | |
"s3:PutBucketTagging", | |
"s3:PutBucketWebsite", | |
"s3:PutEncryptionConfiguration", | |
"s3:PutObject", | |
"sns:CreateTopic", | |
"sns:DeleteTopic", | |
"sns:GetSubscriptionAttributes", | |
"sns:GetTopicAttributes", | |
"sns:ListSubscriptions", | |
"sns:ListSubscriptionsByTopic", | |
"sns:ListTopics", | |
"sns:SetSubscriptionAttributes", | |
"sns:SetTopicAttributes", | |
"sns:Subscribe", | |
"sns:Unsubscribe", | |
"states:CreateStateMachine", | |
"states:DeleteStateMachine" | |
], | |
"Effect": "Allow", | |
"Resource": "*" | |
} | |
], | |
"Version": "2012-10-17" | |
} |
AWS limits the policy size by default to 2048 characters, and the policy in the gist exceeds that many characters. It is giving error:
Maximum policy size of 2048 bytes exceeded for user serverless-servicename-agent
I got this error:
Maximum policy size of 2048 bytes exceeded for user serverless-servicename-agent
It was fixed by removing spaces from the JSON file.
I also needed "logs:DeleteSubscriptionFilter"
to run sls remove
So far I am using this tool to help me generate policies for my serverless projects:
How the policy on "Resource": "*"
could be minimal? It is not. For instance, if you host other resources on the same AWS account's S3 (e.g. website) this policy will allow to do anything with it. Including uploading a backdoor or deleting your website whatsoever.
While it is very dangerous to use this policy in production, it is a good start. But it is not minimal and should be trimmed to your account situation. The title is absolutely misleading.
I need to add "states:TagResource"
@gotexis, @Gargoyle, @troggy I agree completely. We use this as a Terraform template. It also could be considered a work in progress, but it does not use "*"
for the Resource except where necessary. Of particular note, I have on my to-do list to add support for Cloudformation Change Sets, which was a "refactor" in Serverless version 3. This gist has ExecuteChangeSet
and CreateChangeSet
, but I found DeleteChangeSet
is also needed. edited: Looks like DescribeChangeSet
is used in the serverless code as well.
@joshuaquek thanks for that link. Wondering why that's not linked from the Serverless docs instead of this gist.
@schparky , sure no problem at all!
Hmm yeah I guess maybe its because the permission generator was not done by the same team that built the Serverless framework.
Side note - I have kind of moved on from serverless in general and now have been dabbling with unikernels instead haha - https://github.com/joshuaquek/expressjs-ops-unikernel
logs:CreateLogDelivery
missed here and required in some templates
cloudformation:DeleteChangeSet
was missing to make the Node.JS starter app work
Here is what I cobbled together for serverless Lambda deployments based on the helpful comments here. This could be improved by specifying your account id instead of allowing *
. I was unsure which role should be allowed for iam:GetRole
and ended up specifying *
for that. If anyone knows which roles should be allowed there please comment.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"logs:DescribeLogGroups",
"lambda:List*",
"logs:DescribeLogStreams",
"lambda:Get*",
"logs:PutRetentionPolicy",
"cloudformation:List*",
"logs:CreateLogGroup",
"cloudformation:ValidateTemplate",
"cloudformation:Describe*",
"cloudformation:Get*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"events:Put*",
"events:Remove*",
"events:Delete*"
],
"Resource": [
"arn:aws:events:us-east-1::event-source/*",
"arn:aws:events:us-east-1:*:rule/*",
"arn:aws:events:us-east-1:*:event-bus/*"
]
},
{
"Effect": "Allow",
"Action": [
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:us-east-1:*:rule/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutAccelerateConfiguration",
"s3:ListBucketVersions",
"s3:CreateBucket",
"iam:CreateRole",
"s3:ListBucket",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"cloudformation:CreateChangeSet",
"s3:GetBucketPolicy",
"cloudformation:DeleteChangeSet",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"s3:PutBucketAcl",
"lambda:PutFunctionEventInvokeConfig",
"cloudformation:UpdateStack",
"lambda:DeleteFunctionEventInvokeConfig",
"lambda:DeleteFunction",
"s3:DeleteBucket",
"cloudformation:ExecuteChangeSet",
"iam:GetRole",
"s3:PutBucketPublicAccessBlock",
"lambda:InvokeFunction",
"logs:DeleteLogGroup",
"lambda:Update*",
"iam:DeleteRole",
"s3:DeleteBucketPolicy",
"lambda:AddPermission",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"s3:PutBucketPolicy",
"lambda:PublishVersion",
"s3:GetBucketLocation",
"lambda:RemovePermission",
"lambda:CreateAlias"
],
"Resource": [
"arn:aws:s3:::*",
"arn:aws:iam::*:role/LambdaExecutionRole",
"arn:aws:lambda:us-east-1:*:function:*",
"arn:aws:lambda:us-east-1:*:event-source-mapping:*",
"arn:aws:cloudformation:us-east-1:*:stack/*/*",
"arn:aws:logs:us-east-1:*:log-group:/aws/lambda/*:*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::*/*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"cloudformation:CreateUploadBucket",
"cloudformation:Describe*"
],
"Resource": "arn:aws:cloudformation:us-east-1:*:stack/*/*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetRole"
],
"Resource": [
"arn:aws:iam::*:role/*"
]
}
]
}
cloudformation:DeleteChangeSet
states:TagResource
logs:TagResource
are missing for the basic node starter .... please fix...
I wanted to share my thoughts on the serverless security project. As a developer, I am surprised to see that there is not enough official documentation available for such a critical point.
Why are there so few contributions? Could it be because everyone is granting full rights ?
Personally, I've tested the configurations provided in this gist, but unfortunately, they didn't work as expected. It appears that certain permissions are missing with the last version of serverless.
I suggest creating a minimum, tested roles file with proper permissions.
I'm currently working on my own configuration, and once it's complete, I will share it with the community.
I wanted to share my thoughts on the serverless security project. As a developer, I am surprised to see that there is not enough official documentation available for such a critical point. Why are there so few contributions? Could it be because everyone is granting full rights ?
Personally, I've tested the configurations provided in this gist, but unfortunately, they didn't work as expected. It appears that certain permissions are missing with the last version of serverless.
I suggest creating a minimum, tested roles file with proper permissions.
I'm currently working on my own configuration, and once it's complete, I will share it with the community.
Great! Can't wait for your configuration!
As @carlin-q-scott says the above actions are sufficient to deploy the simple helloWorld from the docs. However if you want to actually attach a HTTP endpoint, you will also need
"apigateway:*"
. I'd bet one would restrict access to certain resources though for more security...