Ensure that roles defined in Serverless Framework files should not have policies granting full administrative privileges

It is important to avoid having '*' in the resource in the serverless framework IAM role because this can grant too much access to your Lambda functions and expose them to potential security risks. Instead, it is recommended to specify the exact resources your functions need to interact with and limit the actions they can perform on those resources.

Suggest Edits

Risk Level: medium
Platform: AWS Serverless
Spectral Rule ID: SLFW004

REMEDIATION

Change in statements.Action set the '*' to a specific definition

service: service
frameworkVersion: '2'
provider:
  name: aws
  runtime: nodejs12.x
  iam:
    role:
      name: custom-role-name
      statements:
        - Effect: 'Allow'
          Resource: 'arn:aws:s3:::my-bucket-name/example'
-         Action: '*'
+         Action: 'iam:DeleteUser'

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html
https://www.serverless.com/framework/docs/providers/aws/guide/iam

Updated over 1 year ago

REMEDIATION

Read more: