Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Serverless IAM Permission
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:ListVersionsByFunction",
"dynamodb:DeleteItem",
"iam:DeletePolicy",
"iam:CreateRole",
"lambda:GetFunctionConfiguration",
"iam:PutRolePolicy",
"dynamodb:DeleteTable",
"iam:PassRole",
"dynamodb:DescribeTable",
"iam:DeleteRolePolicy",
"dynamodb:GetItem",
"cloudformation:UpdateStack",
"lambda:DeleteFunction",
"iam:GetRole",
"dynamodb:UpdateTimeToLive",
"dynamodb:PutItem",
"lambda:InvokeFunction",
"apigateway:*",
"lambda:GetFunction",
"iam:DeleteUserPolicy",
"iam:DeleteRole",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:UpdateItem",
"cloudformation:DescribeStacks",
"dynamodb:CreateTable",
"s3:PutObject",
"s3:GetObject",
"lambda:AddPermission",
"lambda:PublishVersion",
"lambda:RemovePermission",
"dynamodb:UpdateTable"
],
"Resource": [
"arn:aws:lambda:*:*:function:*",
"arn:aws:cloudformation:eu-west-2:<AWS_ACCOUNT_NUMBER>:stack/<CLOUD_FORMATION_STACK_NAME>/*",
"arn:aws:apigateway:*::*",
"arn:aws:s3:::<BUCKET_NAME>/*",
"arn:aws:iam::*:role/*",
"arn:aws:dynamodb:eu-west-2:<AWS_ACCOUNT_NUMBER>:table/<TABLE_NAME>",
"arn:aws:dynamodb:eu-west-2:<AWS_ACCOUNT_NUMBER>:table/<TABLE_NAME>/index/<TABLE_INDEX_NAME>"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:DeleteLogGroup",
"dynamodb:ListTables",
"logs:PutRetentionPolicy",
"logs:CreateLogGroup"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudformation:DetectStackDrift",
"lambda:ListVersionsByFunction",
"lambda:GetLayerVersion",
"cloudformation:ListStackInstances",
"lambda:GetFunctionConfiguration",
"s3:ListBucket",
"cloudformation:DescribeStackResource",
"lambda:GetLayerVersionPolicy",
"cloudformation:DetectStackResourceDrift",
"iam:PassRole",
"cloudformation:DescribeStackEvents",
"lambda:ListTags",
"cloudformation:DescribeStackSetOperation",
"cloudformation:UpdateStack",
"lambda:GetAlias",
"s3:DeleteObject",
"cloudformation:DescribeChangeSet",
"cloudformation:ListStackResources",
"lambda:InvokeFunction",
"lambda:GetEventSourceMapping",
"lambda:GetFunction",
"cloudformation:DescribeStackInstance",
"lambda:ListAliases",
"lambda:UpdateFunctionConfiguration",
"cloudformation:DescribeStackResources",
"cloudformation:GetTemplateSummary",
"cloudformation:DescribeStacks",
"lambda:UpdateFunctionCode",
"s3:PutObject",
"s3:GetObject",
"cloudformation:DescribeStackResourceDrifts",
"cloudformation:GetStackPolicy",
"cloudformation:CreateStack",
"cloudformation:GetTemplate",
"cloudformation:DeleteStack",
"s3:GetBucketLocation",
"lambda:GetPolicy"
],
"Resource": [
"arn:aws:lambda:*:*:event-source-mapping:*",
"arn:aws:lambda:*:*:function:*",
"arn:aws:lambda:*:*:layer:*:*",
"arn:aws:s3:::<BUCKET_NAME>/*",
"arn:aws:s3:::<BUCKET_NAME>",
"arn:aws:cloudformation:eu-west-2:<AWS_ACCOUNT_NUMBER>:stack/<CLOUD_FORMATION_STACK_NAME>/*",
"arn:aws:iam::<AWS_ACCOUNT_NUMBER>:role/<CLOUD_FORMATION_ROLE>"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"cloudformation:EstimateTemplateCost",
"cloudformation:DescribeStackDriftDetectionStatus",
"cloudformation:ListExports",
"cloudformation:ListStacks",
"lambda:ListFunctions",
"cloudformation:ListImports",
"lambda:ListEventSourceMappings",
"cloudformation:DescribeAccountLimits",
"lambda:ListLayerVersions",
"lambda:ListLayers",
"lambda:GetAccountSettings",
"cloudformation:ValidateTemplate"
],
"Resource": "*"
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.