How do I prevent secrets from being uploaded to S3?

When my team deployed our first serverless app, we noticed something… unsettling. Serverless uploaded our secrets.yml file to S3.

Most directly, that’s a problem because there are people (and machines) in our organization that have global read access to S3 but shouldn’t have write access to the database for our serverless app.

It also adds a new vulnerability to our system. If an attacker gets S3 read access, they can elevate that to database write access.

Is there a way to disable pushing functions to S3?

The only alternative I can think of is to create a new AWS organization for the serverless project, though that adds some account-management headaches.

Possibly related: Feature Request: API Gateway Stage Variables

I think you are talking about the S3 bucket that serverless creates when uploading your data to cloudformation?
You can choose what files you add to the zip package in the serverless file using the include and exclude keywords:

If you don’t put this file inside your package, will not be uploaded on S3 nor on lambda etc