-
Star
(153)
You must be signed in to star a gist -
Fork
(38)
You must be signed in to fork a gist
-
-
Save ServerlessBot/7618156b8671840a539f405dea2704c8 to your computer and use it in GitHub Desktop.
| { | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "apigateway:*", | |
| "cloudformation:CancelUpdateStack", | |
| "cloudformation:ContinueUpdateRollback", | |
| "cloudformation:CreateChangeSet", | |
| "cloudformation:CreateStack", | |
| "cloudformation:CreateUploadBucket", | |
| "cloudformation:DeleteStack", | |
| "cloudformation:Describe*", | |
| "cloudformation:EstimateTemplateCost", | |
| "cloudformation:ExecuteChangeSet", | |
| "cloudformation:Get*", | |
| "cloudformation:List*", | |
| "cloudformation:UpdateStack", | |
| "cloudformation:UpdateTerminationProtection", | |
| "cloudformation:ValidateTemplate", | |
| "dynamodb:CreateTable", | |
| "dynamodb:DeleteTable", | |
| "dynamodb:DescribeTable", | |
| "dynamodb:DescribeTimeToLive", | |
| "dynamodb:UpdateTimeToLive", | |
| "ec2:AttachInternetGateway", | |
| "ec2:AuthorizeSecurityGroupIngress", | |
| "ec2:CreateInternetGateway", | |
| "ec2:CreateNetworkAcl", | |
| "ec2:CreateNetworkAclEntry", | |
| "ec2:CreateRouteTable", | |
| "ec2:CreateSecurityGroup", | |
| "ec2:CreateSubnet", | |
| "ec2:CreateTags", | |
| "ec2:CreateVpc", | |
| "ec2:DeleteInternetGateway", | |
| "ec2:DeleteNetworkAcl", | |
| "ec2:DeleteNetworkAclEntry", | |
| "ec2:DeleteRouteTable", | |
| "ec2:DeleteSecurityGroup", | |
| "ec2:DeleteSubnet", | |
| "ec2:DeleteVpc", | |
| "ec2:Describe*", | |
| "ec2:DetachInternetGateway", | |
| "ec2:ModifyVpcAttribute", | |
| "events:DeleteRule", | |
| "events:DescribeRule", | |
| "events:ListRuleNamesByTarget", | |
| "events:ListRules", | |
| "events:ListTargetsByRule", | |
| "events:PutRule", | |
| "events:PutTargets", | |
| "events:RemoveTargets", | |
| "iam:AttachRolePolicy", | |
| "iam:CreateRole", | |
| "iam:DeleteRole", | |
| "iam:DeleteRolePolicy", | |
| "iam:DetachRolePolicy", | |
| "iam:GetRole", | |
| "iam:PassRole", | |
| "iam:PutRolePolicy", | |
| "iot:CreateTopicRule", | |
| "iot:DeleteTopicRule", | |
| "iot:DisableTopicRule", | |
| "iot:EnableTopicRule", | |
| "iot:ReplaceTopicRule", | |
| "kinesis:CreateStream", | |
| "kinesis:DeleteStream", | |
| "kinesis:DescribeStream", | |
| "lambda:*", | |
| "logs:CreateLogGroup", | |
| "logs:DeleteLogGroup", | |
| "logs:DescribeLogGroups", | |
| "logs:DescribeLogStreams", | |
| "logs:FilterLogEvents", | |
| "logs:GetLogEvents", | |
| "logs:PutSubscriptionFilter", | |
| "s3:CreateBucket", | |
| "s3:DeleteBucket", | |
| "s3:DeleteBucketPolicy", | |
| "s3:DeleteObject", | |
| "s3:DeleteObjectVersion", | |
| "s3:GetObject", | |
| "s3:GetObjectVersion", | |
| "s3:ListAllMyBuckets", | |
| "s3:ListBucket", | |
| "s3:PutBucketNotification", | |
| "s3:PutBucketPolicy", | |
| "s3:PutBucketTagging", | |
| "s3:PutBucketWebsite", | |
| "s3:PutEncryptionConfiguration", | |
| "s3:PutObject", | |
| "sns:CreateTopic", | |
| "sns:DeleteTopic", | |
| "sns:GetSubscriptionAttributes", | |
| "sns:GetTopicAttributes", | |
| "sns:ListSubscriptions", | |
| "sns:ListSubscriptionsByTopic", | |
| "sns:ListTopics", | |
| "sns:SetSubscriptionAttributes", | |
| "sns:SetTopicAttributes", | |
| "sns:Subscribe", | |
| "sns:Unsubscribe", | |
| "states:CreateStateMachine", | |
| "states:DeleteStateMachine" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": "*" | |
| } | |
| ], | |
| "Version": "2012-10-17" | |
| } |
cloudformation:DeleteChangeSet
states:TagResource
logs:TagResource
are missing for the basic node starter .... please fix...
I wanted to share my thoughts on the serverless security project. As a developer, I am surprised to see that there is not enough official documentation available for such a critical point.
Why are there so few contributions? Could it be because everyone is granting full rights ?
Personally, I've tested the configurations provided in this gist, but unfortunately, they didn't work as expected. It appears that certain permissions are missing with the last version of serverless.
I suggest creating a minimum, tested roles file with proper permissions.
I'm currently working on my own configuration, and once it's complete, I will share it with the community.
I wanted to share my thoughts on the serverless security project. As a developer, I am surprised to see that there is not enough official documentation available for such a critical point. Why are there so few contributions? Could it be because everyone is granting full rights ?
Personally, I've tested the configurations provided in this gist, but unfortunately, they didn't work as expected. It appears that certain permissions are missing with the last version of serverless.
I suggest creating a minimum, tested roles file with proper permissions.
I'm currently working on my own configuration, and once it's complete, I will share it with the community.
Great! Can't wait for your configuration!
Here is what I cobbled together for serverless Lambda deployments based on the helpful comments here. This could be improved by specifying your account id instead of allowing
*. I was unsure which role should be allowed foriam:GetRoleand ended up specifying*for that. If anyone knows which roles should be allowed there please comment.{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "lambda:CreateFunction", "logs:DescribeLogGroups", "lambda:List*", "logs:DescribeLogStreams", "lambda:Get*", "logs:PutRetentionPolicy", "cloudformation:List*", "logs:CreateLogGroup", "cloudformation:ValidateTemplate", "cloudformation:Describe*", "cloudformation:Get*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "events:Put*", "events:Remove*", "events:Delete*" ], "Resource": [ "arn:aws:events:us-east-1::event-source/*", "arn:aws:events:us-east-1:*:rule/*", "arn:aws:events:us-east-1:*:event-bus/*" ] }, { "Effect": "Allow", "Action": [ "events:DescribeRule" ], "Resource": [ "arn:aws:events:us-east-1:*:rule/*" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:PutAccelerateConfiguration", "s3:ListBucketVersions", "s3:CreateBucket", "iam:CreateRole", "s3:ListBucket", "iam:AttachRolePolicy", "iam:PutRolePolicy", "cloudformation:CreateChangeSet", "s3:GetBucketPolicy", "cloudformation:DeleteChangeSet", "s3:PutEncryptionConfiguration", "s3:GetEncryptionConfiguration", "iam:PassRole", "iam:DetachRolePolicy", "iam:DeleteRolePolicy", "s3:PutBucketAcl", "lambda:PutFunctionEventInvokeConfig", "cloudformation:UpdateStack", "lambda:DeleteFunctionEventInvokeConfig", "lambda:DeleteFunction", "s3:DeleteBucket", "cloudformation:ExecuteChangeSet", "iam:GetRole", "s3:PutBucketPublicAccessBlock", "lambda:InvokeFunction", "logs:DeleteLogGroup", "lambda:Update*", "iam:DeleteRole", "s3:DeleteBucketPolicy", "lambda:AddPermission", "cloudformation:CreateStack", "cloudformation:DeleteStack", "s3:PutBucketPolicy", "lambda:PublishVersion", "s3:GetBucketLocation", "lambda:RemovePermission", "lambda:CreateAlias" ], "Resource": [ "arn:aws:s3:::*", "arn:aws:iam::*:role/LambdaExecutionRole", "arn:aws:lambda:us-east-1:*:function:*", "arn:aws:lambda:us-east-1:*:event-source-mapping:*", "arn:aws:cloudformation:us-east-1:*:stack/*/*", "arn:aws:logs:us-east-1:*:log-group:/aws/lambda/*:*" ] }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::*/*" }, { "Sid": "VisualEditor3", "Effect": "Allow", "Action": [ "cloudformation:CreateUploadBucket", "cloudformation:Describe*" ], "Resource": "arn:aws:cloudformation:us-east-1:*:stack/*/*" }, { "Effect": "Allow", "Action": [ "iam:GetRole" ], "Resource": [ "arn:aws:iam::*:role/*" ] } ] }