When my team deployed our first serverless app, we noticed something… unsettling. Serverless uploaded our
secrets.yml file to S3.
Most directly, that’s a problem because there are people (and machines) in our organization that have global read access to S3 but shouldn’t have write access to the database for our serverless app.
It also adds a new vulnerability to our system. If an attacker gets S3 read access, they can elevate that to database write access.
Is there a way to disable pushing functions to S3?
The only alternative I can think of is to create a new AWS organization for the serverless project, though that adds some account-management headaches.