Why does Serverless needs AdministratorAccess? Wouldn’t PowerUser be or even less be sufficient enough?
I don’t mind giving it all the accessrights it needs to setup Lambda functions and according triggers like API Gateway routes or Cloudwatch Schedules but Admin seems dangerous for me
It needs it because the features (and hence the permissions required) are in a steady state of change; AdministratorAccess is the only policy guaranteed to work.
If you limit yourself to a subset of features, you can probably limit the permissions granted. Unfortunately it’s always going to need IAM permissions (to create the lambda function role), which renders all other limitations moot - If something can create IAM resources, it can create a resource with AdministratorAccess.
There’s a (possibly out-dated) GitHub issue about this, which might help you.