AWS serverlessrepo documentation change
Summary
Added a section detailing IAM permission restrictions that block publication of applications with overly broad permissions, along with remediation guidance.
Security assessment
This adds documentation about security controls that enforce least privilege by blocking dangerous IAM patterns. It provides security best practices guidance but doesn't reference a specific security vulnerability being fixed.
Diff
diff --git a/serverlessrepo/latest/devguide/using-aws-sam.md b/serverlessrepo/latest/devguide/using-aws-sam.md index 4ba689f02..3639f61c6 100644 --- a//serverlessrepo/latest/devguide/using-aws-sam.md +++ b//serverlessrepo/latest/devguide/using-aws-sam.md @@ -22,0 +23,13 @@ If you want to request support for an additional AWS resource, contact [AWS Supp +AWS Serverless Application Repository blocks publication of applications that include the following overly broad IAM permission patterns, which do not follow the principle of least privilege: + + * Attaching the `AWSLambda_FullAccess` managed policy to Lambda functions + + * Granting `iam:AttachRolePolicy`, `iam:PutRolePolicy`, or `iam:*` on all resources (`*`) in inline IAM policies + + + + +To publish your application, replace `AWSLambda_FullAccess` with only the specific Lambda permissions your application requires, and scope `iam:AttachRolePolicy`, `iam:PutRolePolicy`, and `iam:PassRole` to specific resource ARNs rather than all resources. For guidance, see [IAM security best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html). + +###### Important +