You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
we need to revive this issue. @martinheidegger this is for you in view of ongoing security review.
My understanding is that there are 2 issues here (medium and long term):
each lambda function should have its own IAM role (this is fairly straightforward if a bit tedious)
each plugin that operates inside Lambda should be sandboxed. This is longer term goal, perhaps with two approaches, running plugin in NodeJS thread and for plugins written in Rust, compiled to WASM and using WASI for further sandboxing)
Planning
tie this after the upgrade to a new release of serverless framework or, if we decide to go this direction, after the migration to Terraform, or Terraform CDK (cdktf) or Pulumi, or something else (e.g. SST).
the default role serverless assigns to functions is super permissive: the union of all their needs
The text was updated successfully, but these errors were encountered: