-
-
Save ServerlessBot/7618156b8671840a539f405dea2704c8 to your computer and use it in GitHub Desktop.
{ | |
"Statement": [ | |
{ | |
"Action": [ | |
"apigateway:*", | |
"cloudformation:CancelUpdateStack", | |
"cloudformation:ContinueUpdateRollback", | |
"cloudformation:CreateChangeSet", | |
"cloudformation:CreateStack", | |
"cloudformation:CreateUploadBucket", | |
"cloudformation:DeleteStack", | |
"cloudformation:Describe*", | |
"cloudformation:EstimateTemplateCost", | |
"cloudformation:ExecuteChangeSet", | |
"cloudformation:Get*", | |
"cloudformation:List*", | |
"cloudformation:UpdateStack", | |
"cloudformation:UpdateTerminationProtection", | |
"cloudformation:ValidateTemplate", | |
"dynamodb:CreateTable", | |
"dynamodb:DeleteTable", | |
"dynamodb:DescribeTable", | |
"dynamodb:DescribeTimeToLive", | |
"dynamodb:UpdateTimeToLive", | |
"ec2:AttachInternetGateway", | |
"ec2:AuthorizeSecurityGroupIngress", | |
"ec2:CreateInternetGateway", | |
"ec2:CreateNetworkAcl", | |
"ec2:CreateNetworkAclEntry", | |
"ec2:CreateRouteTable", | |
"ec2:CreateSecurityGroup", | |
"ec2:CreateSubnet", | |
"ec2:CreateTags", | |
"ec2:CreateVpc", | |
"ec2:DeleteInternetGateway", | |
"ec2:DeleteNetworkAcl", | |
"ec2:DeleteNetworkAclEntry", | |
"ec2:DeleteRouteTable", | |
"ec2:DeleteSecurityGroup", | |
"ec2:DeleteSubnet", | |
"ec2:DeleteVpc", | |
"ec2:Describe*", | |
"ec2:DetachInternetGateway", | |
"ec2:ModifyVpcAttribute", | |
"events:DeleteRule", | |
"events:DescribeRule", | |
"events:ListRuleNamesByTarget", | |
"events:ListRules", | |
"events:ListTargetsByRule", | |
"events:PutRule", | |
"events:PutTargets", | |
"events:RemoveTargets", | |
"iam:AttachRolePolicy", | |
"iam:CreateRole", | |
"iam:DeleteRole", | |
"iam:DeleteRolePolicy", | |
"iam:DetachRolePolicy", | |
"iam:GetRole", | |
"iam:PassRole", | |
"iam:PutRolePolicy", | |
"iot:CreateTopicRule", | |
"iot:DeleteTopicRule", | |
"iot:DisableTopicRule", | |
"iot:EnableTopicRule", | |
"iot:ReplaceTopicRule", | |
"kinesis:CreateStream", | |
"kinesis:DeleteStream", | |
"kinesis:DescribeStream", | |
"lambda:*", | |
"logs:CreateLogGroup", | |
"logs:DeleteLogGroup", | |
"logs:DescribeLogGroups", | |
"logs:DescribeLogStreams", | |
"logs:FilterLogEvents", | |
"logs:GetLogEvents", | |
"logs:PutSubscriptionFilter", | |
"s3:CreateBucket", | |
"s3:DeleteBucket", | |
"s3:DeleteBucketPolicy", | |
"s3:DeleteObject", | |
"s3:DeleteObjectVersion", | |
"s3:GetObject", | |
"s3:GetObjectVersion", | |
"s3:ListAllMyBuckets", | |
"s3:ListBucket", | |
"s3:PutBucketNotification", | |
"s3:PutBucketPolicy", | |
"s3:PutBucketTagging", | |
"s3:PutBucketWebsite", | |
"s3:PutEncryptionConfiguration", | |
"s3:PutObject", | |
"sns:CreateTopic", | |
"sns:DeleteTopic", | |
"sns:GetSubscriptionAttributes", | |
"sns:GetTopicAttributes", | |
"sns:ListSubscriptions", | |
"sns:ListSubscriptionsByTopic", | |
"sns:ListTopics", | |
"sns:SetSubscriptionAttributes", | |
"sns:SetTopicAttributes", | |
"sns:Subscribe", | |
"sns:Unsubscribe", | |
"states:CreateStateMachine", | |
"states:DeleteStateMachine" | |
], | |
"Effect": "Allow", | |
"Resource": "*" | |
} | |
], | |
"Version": "2012-10-17" | |
} |
cloudformation:DeleteChangeSet
was missing to make the Node.JS starter app work
Here is what I cobbled together for serverless Lambda deployments based on the helpful comments here. This could be improved by specifying your account id instead of allowing *
. I was unsure which role should be allowed for iam:GetRole
and ended up specifying *
for that. If anyone knows which roles should be allowed there please comment.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"logs:DescribeLogGroups",
"lambda:List*",
"logs:DescribeLogStreams",
"lambda:Get*",
"logs:PutRetentionPolicy",
"cloudformation:List*",
"logs:CreateLogGroup",
"cloudformation:ValidateTemplate",
"cloudformation:Describe*",
"cloudformation:Get*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"events:Put*",
"events:Remove*",
"events:Delete*"
],
"Resource": [
"arn:aws:events:us-east-1::event-source/*",
"arn:aws:events:us-east-1:*:rule/*",
"arn:aws:events:us-east-1:*:event-bus/*"
]
},
{
"Effect": "Allow",
"Action": [
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:us-east-1:*:rule/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutAccelerateConfiguration",
"s3:ListBucketVersions",
"s3:CreateBucket",
"iam:CreateRole",
"s3:ListBucket",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"cloudformation:CreateChangeSet",
"s3:GetBucketPolicy",
"cloudformation:DeleteChangeSet",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"s3:PutBucketAcl",
"lambda:PutFunctionEventInvokeConfig",
"cloudformation:UpdateStack",
"lambda:DeleteFunctionEventInvokeConfig",
"lambda:DeleteFunction",
"s3:DeleteBucket",
"cloudformation:ExecuteChangeSet",
"iam:GetRole",
"s3:PutBucketPublicAccessBlock",
"lambda:InvokeFunction",
"logs:DeleteLogGroup",
"lambda:Update*",
"iam:DeleteRole",
"s3:DeleteBucketPolicy",
"lambda:AddPermission",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"s3:PutBucketPolicy",
"lambda:PublishVersion",
"s3:GetBucketLocation",
"lambda:RemovePermission",
"lambda:CreateAlias"
],
"Resource": [
"arn:aws:s3:::*",
"arn:aws:iam::*:role/LambdaExecutionRole",
"arn:aws:lambda:us-east-1:*:function:*",
"arn:aws:lambda:us-east-1:*:event-source-mapping:*",
"arn:aws:cloudformation:us-east-1:*:stack/*/*",
"arn:aws:logs:us-east-1:*:log-group:/aws/lambda/*:*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::*/*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"cloudformation:CreateUploadBucket",
"cloudformation:Describe*"
],
"Resource": "arn:aws:cloudformation:us-east-1:*:stack/*/*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetRole"
],
"Resource": [
"arn:aws:iam::*:role/*"
]
}
]
}
cloudformation:DeleteChangeSet
states:TagResource
logs:TagResource
are missing for the basic node starter .... please fix...
I wanted to share my thoughts on the serverless security project. As a developer, I am surprised to see that there is not enough official documentation available for such a critical point.
Why are there so few contributions? Could it be because everyone is granting full rights ?
Personally, I've tested the configurations provided in this gist, but unfortunately, they didn't work as expected. It appears that certain permissions are missing with the last version of serverless.
I suggest creating a minimum, tested roles file with proper permissions.
I'm currently working on my own configuration, and once it's complete, I will share it with the community.
I wanted to share my thoughts on the serverless security project. As a developer, I am surprised to see that there is not enough official documentation available for such a critical point. Why are there so few contributions? Could it be because everyone is granting full rights ?
Personally, I've tested the configurations provided in this gist, but unfortunately, they didn't work as expected. It appears that certain permissions are missing with the last version of serverless.
I suggest creating a minimum, tested roles file with proper permissions.
I'm currently working on my own configuration, and once it's complete, I will share it with the community.
Great! Can't wait for your configuration!
logs:CreateLogDelivery
missed here and required in some templates