Ensure that roles defined in Serverless Framework files should not have policies granting full administrative privileges

It is important to avoid having '*' in the resource in the serverless framework IAM role because this can grant too much access to your Lambda functions and expose them to potential security risks. Instead, it is recommended to specify the exact resources your functions need to interact with and limit the actions they can perform on those resources.

Suggest Edits

Risk Level: high
Platform: AWS Serverless
Spectral Rule ID: SLFW003

REMEDIATION

Change in statements.Resource set to the '*' to a specific definition

service: service
frameworkVersion: '2'
provider:
  name: aws
  runtime: nodejs12.x
  iam:
    role:
      name: custom-role-name
      statements:
        - Effect: 'Allow'
-         Resource: '*'
+         Resource: 'arn:aws:s3:::my-bucket-name/example'
          Action: 'iam:DeleteUser'

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html
https://www.serverless.com/framework/docs/providers/aws/guide/iam

Updated about 1 year ago

REMEDIATION

Read more: