Reducing admin role for serverless deployment

Serverless Framework
, ,
1

Hi,

I’ve checked a lot of resources regarding Role an permissions user need to deploy Lambda with Serverless Framework including issues on Github(F.e. this) and topics on this forum.
What I’ve found now are just some assumptions and no full list of roles.
What I would like to achieve is a help from the Serverless framework development team, cause using Admin access for deployment could lead to Security issues. This is highly important.

Can anyone from deployment team provide a full list of permissions we need for successful Lambda creation and deployment?

2

I’ve tried to do this by myself and here are my results.

CloudFormation

“cloudformation:CancelUpdateStack”
“cloudformation:ContinueUpdateRollback”
“cloudformation:CreateStack”
“cloudformation:DeleteStack”
“cloudformation:DeleteStackSet”
“cloudformation:DescribeChangeSet”
“cloudformation:DescribeStackEvents”
“cloudformation:DescribeStackResource*”
“cloudformation:DescribeStacks”
“cloudformation:ExecuteChangeSet”
“cloudformation:GetStackPolicy”
“cloudformation:GetTemplate”
“cloudformation:ListChangeSets”
“cloudformation:ListStackResources”
“cloudformation:UpdateStack”
“cloudformation:ValidateTemplate”

IAM

“iam:AttachRolePolicy”
“iam:CreateRole”
“iam:DeleteRole”
“iam:DeleteRolePolicy”
“iam:DetachRolePolicy”
“iam:GetPolicy”
“iam:GetRole”
“iam:ListAttachedRolePolicies”
“iam:ListPolicies”
“iam:ListRolePolicies”
“iam:ListRoles”
“iam:PutRolePolicy”
“iam:UpdateRole”
“iam:PassRole”

Lambda

“lambda:AddPermission”
“lambda:CreateAlias”
“lambda:CreateEventSourceMapping”
“lambda:CreateFunction”
“lambda:DeleteAlias”
“lambda:DeleteEventSourceMapping”
“lambda:DeleteFunction”
“lambda:Get*”
“lambda:List*”
“lambda:PublishVersion”
“lambda:RemovePermission”
“lambda:TagResource”
“lambda:UntagResource”
“lambda:Update*”

CloudWatch Logs

“logs:CreateLogGroup”
“logs:CreateLogStream”
“logs:DeleteLogGroup”
“logs:DeleteLogStream”
“logs:DeleteRetentionPolicy”
“logs:DeleteSubscriptionFilter”
“logs:PutMetricFilter”
“logs:PutSubscriptionFilter”
“logs:DescribeLogGroups”

S3

“s3:DeleteObject”
“s3:DeleteObjectVersion”
“s3:GetObject”
“s3:GetObjectVersion”
“s3:PutObject”
“s3:CreateBucket”
“s3:ListBucket”
“s3:ListBucketVersions”

This is enough for first deploy and future deploys(Serverless Framework version 1.33.2).
Also I think it can be reduced too, cause Serverless Framework might not need some of these policies.

If you have some thoughts about this list feel free to comment.

3

I think that with IAM policies you’ve mentioned you can get other access easily. So does not seem to be very useful to cut the permissions down.

1 Like