Last active
December 20, 2023 16:50
-
-
Save ServerlessBot/7618156b8671840a539f405dea2704c8 to your computer and use it in GitHub Desktop.
Minimum credential set for Serverless Framework
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "apigateway:*", | |
| "cloudformation:CancelUpdateStack", | |
| "cloudformation:ContinueUpdateRollback", | |
| "cloudformation:CreateChangeSet", | |
| "cloudformation:CreateStack", | |
| "cloudformation:CreateUploadBucket", | |
| "cloudformation:DeleteStack", | |
| "cloudformation:Describe*", | |
| "cloudformation:EstimateTemplateCost", | |
| "cloudformation:ExecuteChangeSet", | |
| "cloudformation:Get*", | |
| "cloudformation:List*", | |
| "cloudformation:UpdateStack", | |
| "cloudformation:UpdateTerminationProtection", | |
| "cloudformation:ValidateTemplate", | |
| "dynamodb:CreateTable", | |
| "dynamodb:DeleteTable", | |
| "dynamodb:DescribeTable", | |
| "dynamodb:DescribeTimeToLive", | |
| "dynamodb:UpdateTimeToLive", | |
| "ec2:AttachInternetGateway", | |
| "ec2:AuthorizeSecurityGroupIngress", | |
| "ec2:CreateInternetGateway", | |
| "ec2:CreateNetworkAcl", | |
| "ec2:CreateNetworkAclEntry", | |
| "ec2:CreateRouteTable", | |
| "ec2:CreateSecurityGroup", | |
| "ec2:CreateSubnet", | |
| "ec2:CreateTags", | |
| "ec2:CreateVpc", | |
| "ec2:DeleteInternetGateway", | |
| "ec2:DeleteNetworkAcl", | |
| "ec2:DeleteNetworkAclEntry", | |
| "ec2:DeleteRouteTable", | |
| "ec2:DeleteSecurityGroup", | |
| "ec2:DeleteSubnet", | |
| "ec2:DeleteVpc", | |
| "ec2:Describe*", | |
| "ec2:DetachInternetGateway", | |
| "ec2:ModifyVpcAttribute", | |
| "events:DeleteRule", | |
| "events:DescribeRule", | |
| "events:ListRuleNamesByTarget", | |
| "events:ListRules", | |
| "events:ListTargetsByRule", | |
| "events:PutRule", | |
| "events:PutTargets", | |
| "events:RemoveTargets", | |
| "iam:AttachRolePolicy", | |
| "iam:CreateRole", | |
| "iam:DeleteRole", | |
| "iam:DeleteRolePolicy", | |
| "iam:DetachRolePolicy", | |
| "iam:GetRole", | |
| "iam:PassRole", | |
| "iam:PutRolePolicy", | |
| "iot:CreateTopicRule", | |
| "iot:DeleteTopicRule", | |
| "iot:DisableTopicRule", | |
| "iot:EnableTopicRule", | |
| "iot:ReplaceTopicRule", | |
| "kinesis:CreateStream", | |
| "kinesis:DeleteStream", | |
| "kinesis:DescribeStream", | |
| "lambda:*", | |
| "logs:CreateLogGroup", | |
| "logs:DeleteLogGroup", | |
| "logs:DescribeLogGroups", | |
| "logs:DescribeLogStreams", | |
| "logs:FilterLogEvents", | |
| "logs:GetLogEvents", | |
| "logs:PutSubscriptionFilter", | |
| "s3:CreateBucket", | |
| "s3:DeleteBucket", | |
| "s3:DeleteBucketPolicy", | |
| "s3:DeleteObject", | |
| "s3:DeleteObjectVersion", | |
| "s3:GetObject", | |
| "s3:GetObjectVersion", | |
| "s3:ListAllMyBuckets", | |
| "s3:ListBucket", | |
| "s3:PutBucketNotification", | |
| "s3:PutBucketPolicy", | |
| "s3:PutBucketTagging", | |
| "s3:PutBucketWebsite", | |
| "s3:PutEncryptionConfiguration", | |
| "s3:PutObject", | |
| "sns:CreateTopic", | |
| "sns:DeleteTopic", | |
| "sns:GetSubscriptionAttributes", | |
| "sns:GetTopicAttributes", | |
| "sns:ListSubscriptions", | |
| "sns:ListSubscriptionsByTopic", | |
| "sns:ListTopics", | |
| "sns:SetSubscriptionAttributes", | |
| "sns:SetTopicAttributes", | |
| "sns:Subscribe", | |
| "sns:Unsubscribe", | |
| "states:CreateStateMachine", | |
| "states:DeleteStateMachine" | |
| ], | |
| "Effect": "Allow", | |
| "Resource": "*" | |
| } | |
| ], | |
| "Version": "2012-10-17" | |
| } |
I wanted to share my thoughts on the serverless security project. As a developer, I am surprised to see that there is not enough official documentation available for such a critical point. Why are there so few contributions? Could it be because everyone is granting full rights ?
Personally, I've tested the configurations provided in this gist, but unfortunately, they didn't work as expected. It appears that certain permissions are missing with the last version of serverless.
I suggest creating a minimum, tested roles file with proper permissions.
I'm currently working on my own configuration, and once it's complete, I will share it with the community.
Great! Can't wait for your configuration!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I wanted to share my thoughts on the serverless security project. As a developer, I am surprised to see that there is not enough official documentation available for such a critical point.
Why are there so few contributions? Could it be because everyone is granting full rights ?
Personally, I've tested the configurations provided in this gist, but unfortunately, they didn't work as expected. It appears that certain permissions are missing with the last version of serverless.
I suggest creating a minimum, tested roles file with proper permissions.
I'm currently working on my own configuration, and once it's complete, I will share it with the community.