Ensure that roles defined in Serverless Framework files should not have policies granting full administrative privileges

It is important to avoid having '*' in the resource in the serverless framework IAM role because this can grant too much access to your Lambda functions and expose them to potential security risks.
Instead, it is recommended to specify the exact resources your functions need to interact with and limit the actions they can perform on those resources.

Suggest Edits

Risk Level: medium
Platform: AWS Serverless
Spectral Rule ID: SLFW012

REMEDIATION

In 'iamRoleStatements.Resource', change the '*' value to a specific definition

functions:
  example:
    iamRoleStatements:
      - Effect: Allow
        Action: "s3:GetObject"
-       Resource: "*"
+       Resource: "s3:GetObject" # example

OR

provider:
name: aws
iamRoleStatements:
  - Effect: "Allow"
    Action: "s3:GetObject"
-   Resource: "*"
+   Resource: "s3:GetObject" # example

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html
https://www.serverless.com/framework/docs/providers/aws/guide/iam

Updated 7 months ago

REMEDIATION

Read more: