Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] per-function iam role #10

Open
mvayngrib opened this issue Sep 22, 2017 · 1 comment
Open

[security] per-function iam role #10

mvayngrib opened this issue Sep 22, 2017 · 1 comment
Assignees
@martinheidegger

Comments

@mvayngrib
Copy link
Member

the default role serverless assigns to functions is super permissive: the union of all their needs
@urbien
Copy link
Member

urbien commented Dec 28, 2021

we need to revive this issue. @martinheidegger this is for you in view of ongoing security review.
My understanding is that there are 2 issues here (medium and long term):

  • each lambda function should have its own IAM role (this is fairly straightforward if a bit tedious)
  • each plugin that operates inside Lambda should be sandboxed. This is longer term goal, perhaps with two approaches, running plugin in NodeJS thread and for plugins written in Rust, compiled to WASM and using WASI for further sandboxing)

Planning

tie this after the upgrade to a new release of serverless framework or, if we decide to go this direction, after the migration to Terraform, or Terraform CDK (cdktf) or Pulumi, or something else (e.g. SST).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@martinheidegger martinheidegger

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mvayngrib @martinheidegger @urbien