Closed ben-harvey closed 2 years ago
Code Climate has analyzed commit fb70345c and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 25.9% (0.0% change).
View more on Code Climate.
Purpose
One of the ways to mitigate security risks for serverless applications is to use the principle of least privilege for function permissions. When a default IAM role is defined for a serverless service, each function receives all the permissions defined for the default role. This can lead to overly broad function permissions, which violates the principle. Each function should be granted the minimum set of permissions required to complete the job of the function.
This change removes all default lambda execution roles and adds per-function roles with the minimum permissions to execute the function handlers, and adds a section to the
services
README that explains this as a best practice for serverless security.Linked Issues to Close
N/A
Approach
It's possible to define custom IAM roles, but if you do so you need to manually handle the details of defining IAM permissions for logs and stream events that are usually abstracted away by the Serverless framework.
This change uses the serverless-iam-roles-per-function plugin, which allows defining custom roles for each function while still abstracting away the permissions that are required for all serverless functions. This plugin is recommended in the Serverless documentation for IAM permissions.
Learning
Assorted Notes/Considerations
Manual testing:
I deployed each service after adding per-function IAM roles, and tested each function to confirm that it still had the required IAM permissions to execute without error.
Pull Request Creator Checklist
Pull Request Reviewer/Assignee Checklist