search

ACloudGuru / serverless-plugin-aws-alerts

A Serverless Framework plugin that creates CloudWatch alarms for functions.
MIT License
531 stars 149 forks source link

Document minimum required IAM permissions #232

Open rdsedmundo opened 2 years ago

rdsedmundo commented 2 years ago

This is a Feature Proposal

Description

Document the minimum required IAM permissions for the plugin to work, so it's easier to follow the Principle of Least Privilege.

Additional Data

yorjaggy commented 1 year ago

Not sure if this question is still open, but I used these Inline Policy, and only those 2 actions are required. For sure using * on the Resource is not recommended, but by using this plugin I'm not able to get the Alarm name before its creation.

Anyways feel free to add any feedback :D

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricAlarm",
                "cloudwatch:DeleteAlarms"
            ],
            "Resource": "arn:aws:cloudwatch:<AWS_REGION>:<AWS_ACCOUNT_ID>:alarm:*"
        }
    ]
}
rdsedmundo commented 1 year ago

I noticed those are required too if metric filters are being used:

        "logs:PutMetricFilter",
        "logs:DeleteMetricFilter",
        "logs:DescribeMetricFilters"