Serverless IAM Policy

And other issues

Trying to setup the bare minimum Serverless / NodeJS lambda.

Turns out here is the minimum IAM policy needed for Serverless.

Minimum IAM Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:AttachInternetGateway",
                "iam:PutRolePolicy",
                "cloudformation:CreateChangeSet",
                "dynamodb:DeleteTable",
                "ec2:DeleteRouteTable",
                "ec2:CreateInternetGateway",
                "cloudformation:UpdateStack",
                "events:RemoveTargets",
                "ec2:DeleteInternetGateway",
                "sns:Subscribe",
                "logs:FilterLogEvents",
                "s3:DeleteObject",
                "iam:GetRole",
                "events:DescribeRule",
                "sns:ListSubscriptionsByTopic",
                "iot:DisableTopicRule",
                "apigateway:*",
                "ec2:CreateTags",
                "sns:CreateTopic",
                "iam:DeleteRole",
                "s3:DeleteBucketPolicy",
                "iot:CreateTopicRule",
                "dynamodb:CreateTable",
                "s3:PutObject",
                "s3:PutBucketNotification",
                "cloudformation:DeleteStack",
                "ec2:CreateSubnet",
                "ec2:DeleteNetworkAclEntry",
                "cloudformation:ValidateTemplate",
                "iot:ReplaceTopicRule",
                "cloudformation:CreateUploadBucket",
                "cloudformation:CancelUpdateStack",
                "events:PutRule",
                "ec2:CreateVpc",
                "sns:ListTopics",
                "cloudformation:UpdateTerminationProtection",
                "s3:ListBucket",
                "cloudformation:EstimateTemplateCost",
                "iam:PassRole",
                "iot:DeleteTopicRule",
                "s3:PutBucketTagging",
                "iam:DeleteRolePolicy",
                "s3:DeleteBucket",
                "ec2:DeleteNetworkAcl",
                "states:CreateStateMachine",
                "sns:GetTopicAttributes",
                "kinesis:DescribeStream",
                "sns:ListSubscriptions",
                "cloudformation:Describe*",
                "events:DeleteRule",
                "ec2:Describe*",
                "s3:ListAllMyBuckets",
                "s3:PutBucketWebsite",
                "s3:GetObjectVersion",
                "cloudformation:Get*",
                "ec2:DeleteSubnet",
                "states:DeleteStateMachine",
                "s3:CreateBucket",
                "iam:CreateRole",
                "sns:Unsubscribe",
                "cloudformation:ContinueUpdateRollback",
                "events:ListRuleNamesByTarget",
                "dynamodb:DescribeTable",
                "logs:GetLogEvents",
                "events:ListRules",
                "cloudformation:List*",
                "events:ListTargetsByRule",
                "cloudformation:ExecuteChangeSet",
                "ec2:CreateRouteTable",
                "kinesis:CreateStream",
                "ec2:DetachInternetGateway",
                "sns:GetSubscriptionAttributes",
                "logs:CreateLogGroup",
                "s3:GetObject",
                "kinesis:DeleteStream",
                "iot:EnableTopicRule",
                "ec2:DeleteVpc",
                "s3:PutAccelerateConfiguration",
                "sns:DeleteTopic",
                "logs:DescribeLogStreams",
                "s3:DeleteObjectVersion",
                "s3:GetAccelerateConfiguration",
                "sns:SetTopicAttributes",
                "s3:PutEncryptionConfiguration",
                "s3:GetEncryptionConfiguration",
                "ec2:CreateSecurityGroup",
                "ec2:CreateNetworkAcl",
                "ec2:ModifyVpcAttribute",
                "logs:DescribeLogGroups",
                "logs:DeleteLogGroup",
                "events:PutTargets",
                "cloudformation:PreviewStackUpdate",
                "sns:SetSubscriptionAttributes",
                "cloudformation:CreateStack",
                "ec2:DeleteSecurityGroup",
                "lambda:*",
                "s3:PutBucketPolicy",
                "ec2:CreateNetworkAclEntry"
            ],
            "Resource": "*"
        }
    ]
}

‘Stuck’ Cloudformation

Also, after it failed a few times early on with what Serverless claims as the bare min policy.

the cloud formation stack was in a ‘created’ state, but when i tried to remove the stack via SLS, I kept getting the error “Bucket Doesn’t Exist”.

gist-tool sls remove --force --aws-profile serverless
Serverless: Getting all objects in S3 bucket...

  Serverless Error ---------------------------------------

  The specified bucket does not exist

So I had to go back in to the AWS console and manually delete my CLoudformation Stack, then Re-run the SLS Deployment fresh.

You need to keep in mind (and know somewhat) that serverless + AWS is just a wrapper around cloudformation.

This happens because SLS does remove the S3 bucket, but somehow it doesn’t reflect that in the SLS remove tool.

Related