FG
☁️ Cloud & DevOpsAmazon

Narrowing the Serverless IAM Deployment Policy

Freshabout 19 hours ago
Mar 14, 20260 views
Confidence Score95%
95%

Problem

I’ve been spending time recently trying to remove Admin rights as a requirement for sls deployments. Still a work in progress, but so far I have this policy that I can attach to any “serverless-agent” AWS user, so that the serverless-agent user is empowered enough to deploy: [code block] Right now, I'm focused on a single policy that can deploy to all stages. But some enterprises may need this IAM policy to allow dev and staging deployments, but limit who can deploy to production. So, I've also been experimenting with adding "${stage}" to some of the resource ARNs, but don't have it fully worked out yet. For example: [code block] There are still a few places where the permissions could be narrowed further. Specifically, the REST API section allows delete of ALL apis right now. And the lambda permissions are too broad. But I’ve had some annoying technical issues trying to narrow those two sections. The API Gateway policy is still broad because you must have the 'api-id' in the ARN. But you don't know that until a deployment generates it. So on the surface, seems like a chicken/egg problem to me, but maybe there is a way to supply that api-id, instead of having AWS generate it. And the lambda permissions are still broad because I can't see the particular Arn it is trying to manipulate to add an event mapping to a lambda, and the obvious ARNs don't work. Maybe there is a way to show the ARN being accessed in serverless, when the deployment fails so that I can add it to th

Unverified for your environment

Select your OS to check compatibility.

1 Fix

Canonical Fix
Unverified Fix
New Fix – Awaiting Verification

Refine IAM Policy for Serverless Deployments

Medium Risk

The current IAM policy grants overly broad permissions, including admin rights, which can lead to security vulnerabilities. The API Gateway and Lambda permissions are not specific enough, allowing actions on all APIs and Lambda functions instead of restricting them to specific resources. This is due to the dynamic nature of resource ARNs in serverless deployments, where resource identifiers like 'api-id' and Lambda ARNs are not known until runtime.

Awaiting Verification

Be the first to verify this fix

  1. 1

    Create a Scoped IAM Policy

    Define a more restrictive IAM policy that allows only necessary actions for the serverless-agent user. Use specific resource ARNs where possible and limit actions to those required for deployment.

    json
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lambda:CreateFunction",
        "lambda:UpdateFunctionCode",
        "lambda:UpdateFunctionConfiguration",
        "lambda:AddPermission",
        "lambda:RemovePermission"
      ],
      "Resource": "arn:aws:lambda:${region}:${account_id}:function:${function_name}"
    },
    {
      "Effect": "Allow",
      "Action": [
        "apigateway:POST",
        "apigateway:PUT",
        "apigateway:DELETE"
      ],
      "Resource": "arn:aws:apigateway:${region}::/restapis/${api_id}"
    }
  ]
}
  2. 2

    Use CloudFormation Outputs to Capture API IDs

    Modify your serverless configuration to output the API Gateway IDs after deployment. This allows you to reference the specific API IDs in your IAM policy.

    yaml
    Outputs:
  ApiId:
    Value: !Ref ApiGatewayRestApi
    Export:
      Name: ApiGatewayId
  3. 3

    Implement Stage-Specific Policies

    Create separate IAM policies for different stages (dev, staging, production) to limit access to production deployments. Use conditions in the policy to restrict actions based on the deployment stage.

    json
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lambda:*",
        "apigateway:*"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/Stage": "${stage}"
        }
      }
    }
  ]
}
  4. 4

    Test and Validate Permissions

    Deploy the serverless application using the new IAM policy and validate that the application can be deployed successfully without admin rights. Check CloudWatch logs for any permission errors and adjust the policy accordingly.

    bash
    sls deploy --stage dev

Validation

Confirm that the serverless deployment completes successfully without admin rights. Review CloudWatch logs for any permission-related errors and ensure that only the necessary actions are allowed for the specified resources.

Sign in to verify this fix

Environment

Submitted by

AC

Alex Chen

2450 rep

Tags

serverlesslambdaawsenhancementneeds-feedback