I’m looking to restrict each of my functions to only the IAM permissions it needs, simply as a matter of organization / security practice. It looks like the default way of assigning IAM permissions to Lambda functions assigns them to all.
I’m trying to find it documented somewhere, but I can’t find anything showing exactly what options I’m allowed to specify for a function in my serverless.yml. I’ve tried passing in “iamRoleStatements” and “role”, but they seem to just get ignored when I redeploy.
Can I define a separate role for it as a custom resource and then set the function to use the role? That’s how I’d do it with native CloudFormation, but I’m having trouble finding the best way to do it here.