Created
January 26, 2022 23:27
-
-
Save smoy/f76a4bc9882ac8879ac10bdc83b04b20 to your computer and use it in GitHub Desktop.
A (hopefully) minimum AWS IAM policy for serverless framework
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Note these are variable you should replace | |
# MyAccountNumber is your AWS account number | |
# ServerlessServiceName is the service name you are defining on serverless config | |
# | |
# Additional note regarding region like us-west-2, you should change it to fit your situations | |
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "CloudformationRead", | |
"Effect": "Allow", | |
"Action": [ | |
"cloudformation:BatchDescribeTypeConfigurations", | |
"cloudformation:Describe*", | |
"cloudformation:Detect*", | |
"cloudformation:EstimateTemplateCost", | |
"cloudformation:Get*", | |
"cloudformation:List*", | |
"cloudformation:ValidateTemplate" | |
], | |
"Resource": "*" | |
}, | |
{ | |
"Sid": "CloudformationWrite", | |
"Effect": "Allow", | |
"Action": [ | |
"cloudformation:ActivateType", | |
"cloudformation:CancelUpdateStack", | |
"cloudformation:ContinueUpdateRollback", | |
"cloudformation:CreateChangeSet", | |
"cloudformation:CreateStack", | |
"cloudformation:CreateStackInstances", | |
"cloudformation:CreateStackSet", | |
"cloudformation:DeactivateType", | |
"cloudformation:DeleteChangeSet", | |
"cloudformation:DeleteStack", | |
"cloudformation:DeleteStackInstances", | |
"cloudformation:DeleteStackSet", | |
"cloudformation:DeregisterType", | |
"cloudformation:ExecuteChangeSet", | |
"cloudformation:ImportStacksToStackSet", | |
"cloudformation:PublishType", | |
"cloudformation:RecordHandlerProgress", | |
"cloudformation:RegisterPublisher", | |
"cloudformation:RegisterType", | |
"cloudformation:Set*", | |
"cloudformation:SignalResource", | |
"cloudformation:StopStackSetOperation", | |
"cloudformation:TagResource", | |
"cloudformation:TestType", | |
"cloudformation:UntagResource", | |
"cloudformation:Update*" | |
], | |
"Resource": [ | |
"arn:aws:cloudformation:us-west-2:MyAccountNumber:stack/ServerlessServiceName-*/*" | |
] | |
}, | |
{ | |
"Sid": "S3Access", | |
"Effect": "Allow", | |
"Action": [ | |
"s3:*" | |
], | |
"Resource": [ | |
"arn:aws:s3:::ServerlessServiceName-*-serverlessdeploymentbucket-*" | |
] | |
}, | |
{ | |
"Sid": "IamAccess", | |
"Effect": "Allow", | |
"Action": [ | |
"iam:*" | |
], | |
"Resource": [ | |
"arn:aws:iam::MyAccountNumber:role/ServerlessServiceName-*-us-west-2-lambdaRole" | |
] | |
}, | |
{ | |
"Sid": "apiGatewayAccess", | |
"Effect": "Allow", | |
"Action": [ | |
"apigateway:*" | |
], | |
"Resource": [ | |
"*" | |
] | |
}, | |
{ | |
"Sid": "logsAccess", | |
"Effect": "Allow", | |
"Action": [ | |
"logs:*" | |
], | |
"Resource": [ | |
"arn:aws:logs:us-west-2:MyAccountNumber:log-group:/aws/lambda/ServerlessServiceName-*-*:log-stream:*" | |
] | |
}, | |
{ | |
"Sid": "lambdaAccess", | |
"Effect": "Allow", | |
"Action": [ | |
"lambda:*" | |
], | |
"Resource": [ | |
"arn:aws:lambda:us-west-2:MyAccountNumber:function:ServerlessServiceName-*-*" | |
] | |
}, | |
{ | |
"Sid": "eventBridgeAccess", | |
"Effect": "Allow", | |
"Action": [ | |
"events:*" | |
], | |
"Resource": [ | |
"arn:aws:events:us-west-2:MyAccountNumber:rule/ServerlessServiceName-*-*-*" | |
] | |
} | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment