AWS Security ChangesHomeSearch

AWS serverlessrepo documentation change

Service: serverlessrepo · 2026-04-19 · Documentation medium

File: serverlessrepo/latest/devguide/acknowledging-application-capabilities.md

Summary

Added a note about new IAM permission restrictions blocking publication of applications with overly permissive policies.

Security assessment

This change documents new security controls that prevent publishing applications with dangerous IAM permissions (like AWSLambda_FullAccess). It's a proactive security measure to enforce least privilege but doesn't reference a specific security incident.

Diff

diff --git a/serverlessrepo/latest/devguide/acknowledging-application-capabilities.md b/serverlessrepo/latest/devguide/acknowledging-application-capabilities.md
index add1a4f68..240c10eef 100644
--- a//serverlessrepo/latest/devguide/acknowledging-application-capabilities.md
+++ b//serverlessrepo/latest/devguide/acknowledging-application-capabilities.md
@@ -20,0 +21,4 @@ Applications that contain one or more nested applications require you to specify
+###### Note
+
+AWS Serverless Application Repository enforces restrictions on newly published applications to help protect you when deploying from the public repository. Specifically, AWS Serverless Application Repository blocks publication of applications that attach the `AWSLambda_FullAccess` managed policy to Lambda functions, or that grant `iam:AttachRolePolicy`, `iam:PutRolePolicy`, or `iam:*` on all resources in inline IAM policies. These controls are in addition to the capability acknowledgment flow described in this topic.
+