Skip to content

Make your apps more secure - SAM Policy Templates
Compare
Choose a tag to compare
@sanathkr sanathkr released this 30 Nov 18:56
· 588 commits to master since this release
1.3.1
a9b00e1

Just when you thought we were still in an ice cave in Alaska, here is another amazing SAM feature to make your apps very secure:

Introducing Policy Templates

AWS Managed Policies are a simple mechanism to give your Lambda Function permission to access AWS resources. For example, AmazonDynamoDBFullAccess gives permission to access DynamoDB Tables. More precisely, this will give your function access to all DynamoDB APIs against all
DynamoDB tables in all regions. This is excessively permissive when all that your function does is Read & Write values from one table.

SAM provides a tighter and more secure version of AWS Managed Policies called Policy Templates. This are a set of readily availbale policies that can be scoped to a specific resource in the same region where your stack exists. The following example gives your function CRUD access to just one table defined in your stack,

  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      ...
      Policies:

        # Give just CRUD permissions to one table
        - DynamoDBCrudPolicy:
            TableName: !Ref MyTable

      ...

  MyTable:
    Type: AWS::Serverless::SimpleTable

Checkout https://github.com/awslabs/serverless-application-model/blob/master/docs/policy_templates.rst for more information

Lots more to come.. Stay tuned! 📻

Assets 2