Does Serverless, Inc ever see my AWS credentials?

I’m trying to sell my company on serverless, but we handle PHI so security’s tight. Our compliance director and CTO had concerns about passing our AWS key and secret to another company.

When doing a serverless deploy, do AWS credentials ever actually pass through to Serverless, Inc?

If not, can someone point me to where in the code I can prove that?

Thanks!

Hi there and welcome to the community!

Nope. They never ever do. Whether you do a local deployment using AWS access key and ID or via a role allocated to a deployment profile in the dashboard. We make API requests into your AWS account using your credentials but they are never stored or sent anywhere else.

And with the framework being fully open source and having had a reasonably sized community looking through the code quite a bit, you are welcome to audit the framework itself or get a third party to do so for you if you need to be sure; one of the advantages an open source framework gives you.

When it comes to the Dashboard, you setup a link from our AWS account to your own using an IAM role you have complete control over on your account. So even there, we never see any credentials, its a pure IAM interaction over API that you can disconnect at any time. If you want to see more details about how that role works, we have a video as a part of our free course that describes the process: https://serverless.com/learn/tutorial/what-happens-on-deployment/

If you have any more specific questions please feel free. I was trying to answer as generally as I could.

Thank you for the response!