Skip to content

Instantly share code, notes, and snippets.

@ServerlessBot
Last active December 20, 2023 16:50
Show Gist options
  • Save ServerlessBot/7618156b8671840a539f405dea2704c8 to your computer and use it in GitHub Desktop.
Save ServerlessBot/7618156b8671840a539f405dea2704c8 to your computer and use it in GitHub Desktop.
Minimum credential set for Serverless Framework
{
"Statement": [
{
"Action": [
"apigateway:*",
"cloudformation:CancelUpdateStack",
"cloudformation:ContinueUpdateRollback",
"cloudformation:CreateChangeSet",
"cloudformation:CreateStack",
"cloudformation:CreateUploadBucket",
"cloudformation:DeleteStack",
"cloudformation:Describe*",
"cloudformation:EstimateTemplateCost",
"cloudformation:ExecuteChangeSet",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:UpdateStack",
"cloudformation:UpdateTerminationProtection",
"cloudformation:ValidateTemplate",
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:DescribeTable",
"dynamodb:DescribeTimeToLive",
"dynamodb:UpdateTimeToLive",
"ec2:AttachInternetGateway",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateInternetGateway",
"ec2:CreateNetworkAcl",
"ec2:CreateNetworkAclEntry",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:DeleteInternetGateway",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSubnet",
"ec2:DeleteVpc",
"ec2:Describe*",
"ec2:DetachInternetGateway",
"ec2:ModifyVpcAttribute",
"events:DeleteRule",
"events:DescribeRule",
"events:ListRuleNamesByTarget",
"events:ListRules",
"events:ListTargetsByRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iot:CreateTopicRule",
"iot:DeleteTopicRule",
"iot:DisableTopicRule",
"iot:EnableTopicRule",
"iot:ReplaceTopicRule",
"kinesis:CreateStream",
"kinesis:DeleteStream",
"kinesis:DescribeStream",
"lambda:*",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:FilterLogEvents",
"logs:GetLogEvents",
"logs:PutSubscriptionFilter",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketTagging",
"s3:PutBucketWebsite",
"s3:PutEncryptionConfiguration",
"s3:PutObject",
"sns:CreateTopic",
"sns:DeleteTopic",
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"sns:SetSubscriptionAttributes",
"sns:SetTopicAttributes",
"sns:Subscribe",
"sns:Unsubscribe",
"states:CreateStateMachine",
"states:DeleteStateMachine"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
@romankurnovskii
Copy link

logs:CreateLogDelivery missed here and required in some templates

@dweemx
Copy link

dweemx commented Oct 6, 2022

cloudformation:DeleteChangeSet was missing to make the Node.JS starter app work

@joebernard
Copy link

joebernard commented Nov 4, 2022

Here is what I cobbled together for serverless Lambda deployments based on the helpful comments here. This could be improved by specifying your account id instead of allowing *. I was unsure which role should be allowed for iam:GetRole and ended up specifying * for that. If anyone knows which roles should be allowed there please comment.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "logs:DescribeLogGroups",
                "lambda:List*",
                "logs:DescribeLogStreams",
                "lambda:Get*",
                "logs:PutRetentionPolicy",
                "cloudformation:List*",
                "logs:CreateLogGroup",
                "cloudformation:ValidateTemplate",
                "cloudformation:Describe*",
                "cloudformation:Get*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:Put*",
                "events:Remove*",
                "events:Delete*"
            ],
            "Resource": [
                "arn:aws:events:us-east-1::event-source/*",
                "arn:aws:events:us-east-1:*:rule/*",
                "arn:aws:events:us-east-1:*:event-bus/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:DescribeRule"
            ],
            "Resource": [
                "arn:aws:events:us-east-1:*:rule/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:PutAccelerateConfiguration",
                "s3:ListBucketVersions",
                "s3:CreateBucket",
                "iam:CreateRole",
                "s3:ListBucket",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "cloudformation:CreateChangeSet",
                "s3:GetBucketPolicy",
                "cloudformation:DeleteChangeSet",
                "s3:PutEncryptionConfiguration",
                "s3:GetEncryptionConfiguration",
                "iam:PassRole",
                "iam:DetachRolePolicy",
                "iam:DeleteRolePolicy",
                "s3:PutBucketAcl",
                "lambda:PutFunctionEventInvokeConfig",
                "cloudformation:UpdateStack",
                "lambda:DeleteFunctionEventInvokeConfig",
                "lambda:DeleteFunction",
                "s3:DeleteBucket",
                "cloudformation:ExecuteChangeSet",
                "iam:GetRole",
                "s3:PutBucketPublicAccessBlock",
                "lambda:InvokeFunction",
                "logs:DeleteLogGroup",
                "lambda:Update*",
                "iam:DeleteRole",
                "s3:DeleteBucketPolicy",
                "lambda:AddPermission",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "s3:PutBucketPolicy",
                "lambda:PublishVersion",
                "s3:GetBucketLocation",
                "lambda:RemovePermission",
                "lambda:CreateAlias"
            ],
            "Resource": [
                "arn:aws:s3:::*",
                "arn:aws:iam::*:role/LambdaExecutionRole",
                "arn:aws:lambda:us-east-1:*:function:*",
                "arn:aws:lambda:us-east-1:*:event-source-mapping:*",
                "arn:aws:cloudformation:us-east-1:*:stack/*/*",
                "arn:aws:logs:us-east-1:*:log-group:/aws/lambda/*:*"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::*/*"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateUploadBucket",
                "cloudformation:Describe*"
            ],
            "Resource": "arn:aws:cloudformation:us-east-1:*:stack/*/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/*"
            ]
        }
    ]
}

@yeahoffline
Copy link

yeahoffline commented Jan 7, 2023

cloudformation:DeleteChangeSet
states:TagResource
logs:TagResource

are missing for the basic node starter .... please fix...

@olivier-sabban
Copy link

olivier-sabban commented Jul 28, 2023

I wanted to share my thoughts on the serverless security project. As a developer, I am surprised to see that there is not enough official documentation available for such a critical point.
Why are there so few contributions? Could it be because everyone is granting full rights ?

Personally, I've tested the configurations provided in this gist, but unfortunately, they didn't work as expected. It appears that certain permissions are missing with the last version of serverless.

I suggest creating a minimum, tested roles file with proper permissions.

I'm currently working on my own configuration, and once it's complete, I will share it with the community.

@M15t
Copy link

M15t commented Aug 14, 2023

I wanted to share my thoughts on the serverless security project. As a developer, I am surprised to see that there is not enough official documentation available for such a critical point. Why are there so few contributions? Could it be because everyone is granting full rights ?

Personally, I've tested the configurations provided in this gist, but unfortunately, they didn't work as expected. It appears that certain permissions are missing with the last version of serverless.

I suggest creating a minimum, tested roles file with proper permissions.

I'm currently working on my own configuration, and once it's complete, I will share it with the community.

Great! Can't wait for your configuration!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment