How do I prevent secrets from being uploaded to S3?

jamesarosen · October 1, 2019, 11:25pm

When my team deployed our first serverless app, we noticed something… unsettling. Serverless uploaded our secrets.yml file to S3.

Most directly, that’s a problem because there are people (and machines) in our organization that have global read access to S3 but shouldn’t have write access to the database for our serverless app.

It also adds a new vulnerability to our system. If an attacker gets S3 read access, they can elevate that to database write access.

Is there a way to disable pushing functions to S3?

The only alternative I can think of is to create a new AWS organization for the serverless project, though that adds some account-management headaches.

jamesarosen · October 2, 2019, 8:38pm

Possibly related: Feature Request: API Gateway Stage Variables

majindageta · October 3, 2019, 11:09am

Hello!
I think you are talking about the S3 bucket that serverless creates when uploading your data to cloudformation?
You can choose what files you add to the zip package in the serverless file using the include and exclude keywords:

If you don’t put this file inside your package, will not be uploaded on S3 nor on lambda etc

Topic		Replies	Views
Serverless AWS credentials issue Node.js Serverless Framework aws	2	1752	March 5, 2018
S3 Bucket Access Denied Serverless Framework	1	4680	September 24, 2020
S3 bucket in different AWS account for serverless deployment than Lambda Serverless Framework aws , lambda , iam	0	462	September 20, 2022
Managing secrets in Serverless beta Serverless Framework	3	1506	May 12, 2017
How to harden S3? Serverless Framework	0	428	March 9, 2020

How do I prevent secrets from being uploaded to S3?

Related topics