Make your apps more secure - SAM Policy Templates
Just when you thought we were still in an ice cave in Alaska, here is another amazing SAM feature to make your apps very secure:
Introducing Policy Templates
AWS Managed Policies are a simple mechanism to give your Lambda Function permission to access AWS resources. For example, AmazonDynamoDBFullAccess
gives permission to access DynamoDB Tables. More precisely, this will give your function access to all DynamoDB APIs against all
DynamoDB tables in all regions. This is excessively permissive when all that your function does is Read & Write values from one table.
SAM provides a tighter and more secure version of AWS Managed Policies called Policy Templates. This are a set of readily availbale policies that can be scoped to a specific resource in the same region where your stack exists. The following example gives your function CRUD access to just one table defined in your stack,
MyFunction:
Type: AWS::Serverless::Function
Properties:
...
Policies:
# Give just CRUD permissions to one table
- DynamoDBCrudPolicy:
TableName: !Ref MyTable
...
MyTable:
Type: AWS::Serverless::SimpleTable
Checkout https://github.com/awslabs/serverless-application-model/blob/master/docs/policy_templates.rst for more information
Lots more to come.. Stay tuned! 📻