Many AWS solution architects recommend setting up per-function IAM policies so that we follow the principle of least privilege and give each function only the permission it needs.
However, at the moment, it’s quite clumsy to add custom roles for each function (requires setting up the role as custom CF resource, and have to manually include the permissions the Serverless framework adds for you out by default, eg. CWLogs), and as such I don’t know of anyone who actually do this in production.
The framework should make it easy to set this up, in the same way that you can specify settings at the provider level (memory, timeout, etc.) and override them at a function level. I’m thinking something along the lines of:
service: new-service
provider:
name: aws
iamRoleStatements:
- Effect: "Allow"
Action:
- "s3:ListBucket"
Resource:
Fn::Join:
- ""
- - "arn:aws:s3:::"
- Ref: ServerlessDeploymentBucket
functions:
func0:
...
iamRoleStatements:
- Effect: "Allow"
Action:
- "s3:PutObject"
Resource:
Fn::Join:
- ""
- - "arn:aws:s3:::"
- Ref: ServerlessDeploymentBucket
- "/*"
func1:
...
func2:
...
In the above example, func1 and func2 would inherit the IAM role created at the service level, with the permission for s3:ListBuckets. But since func0 specifies its own IAM statement, these statements should be concatenated with the service level IAM statements to create a new role, and assigned to the func0 function, giving it permissions for both s3:ListBuckets and s3:PutObject.
