AWS Serverless Application Repository. Developer Guide

Transcription

1 AWS Serverless Application Repository Developer Guide

2 AWS Serverless Application Repository: Developer Guide Copyright 2018 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon.

3 Table of Contents What Is the AWS Serverless Application Repository?... 1 Consuming Applications and Publishing Applications... 2 Consuming Applications... 2 Browsing, Searching, and Deploying Applications... 2 Deleting Application Stacks... 3 Publishing Applications... 3 Publishing an Application Through the AWS Management Console... 4 Publishing an Application Through the AWS CLI... 5 Deleting an Application Through the AWS Management Console... 5 Deleting an Application Through the AWS CLI... 6 Using the AWS Serverless Application Model (AWS SAM)... 6 Authentication and Access Control Authentication Access Control Overview of Managing Access AWS Serverless Application Repository Resources and Operations Understanding Resource Ownership Managing Access to AWS Resources Specifying Policy Elements: Actions, Effects, AWS Resources, and Principals Using Identity-Based Policies (IAM Policies) Permissions Required to Use the AWS Serverless Application Repository Console Customer Managed Policy Examples Using Resource-Based Policies (Application Policies) Application Permissions Share an Application with Another Specific Account Share an Application Publicly Make an Application Private Specifying Multiple Accounts and Permissions Retrieve an Application Policy AWS Serverless Application Repository API Permissions Reference Logging AWS Serverless Application Repository API Calls with AWS CloudTrail AWS Serverless Application Repository Information in CloudTrail Understanding AWS Serverless Application Repository Log File Entries Limits Troubleshooting You Can't Make an Application Public A Limit Was Exceeded An Updated Readme File Doesn't Appear Immediately You Can't Deploy an Application Due to Insufficient IAM Permissions You Can't Deploy the Same Application Twice Why Is My Application Not Publicly Available Contacting Support Resources Applications URI HTTP Methods Schemas Properties Applications applicationid URI HTTP Methods Schemas Properties Applications applicationid Changesets iii

4 URI HTTP Methods Schemas Properties Applications applicationid Policy URI HTTP Methods Schemas Properties Applications applicationid Versions URI HTTP Methods Schemas Properties Applications applicationid Versions semanticversion URI HTTP Methods Schemas Properties Document History AWS Glossary iv

5 What Is the AWS Serverless Application Repository? The AWS Serverless Application Repository makes it easy for developers and enterprises to quickly find, deploy, and publish serverless applications in the AWS Cloud. For more information about serverless applications, see Serverless Computing and Applications on the AWS website. The AWS Serverless Application Repository is deeply integrated with the AWS Lambda console. This integration means that developers of all levels can get started with serverless computing without needing to learn anything new. You can use category keywords to browse for applications such as web and mobile backends, data processing applications, or chatbots. You can also search for applications by name, publisher, or event source. To use an application, you simply choose it, configure any required fields, and deploy it with a few clicks. You can also easily publish applications, sharing them publicly with the community at large, or privately within your team or across your organization. To publish a serverless application (or app), you can use the AWS Management Console, AWS Command Line Interface (AWS CLI), or AWS SDKs to upload your code. Along with your code, you upload a simple manifest file, also known as an AWS Serverless Application Model (AWS SAM) template. For more information about AWS SAM, see AWS Serverless Application Model (AWS SAM). In this guide, you can learn about the two ways to work with the AWS Serverless Application Repository: Consuming Applications (p. 2) Browse for applications and view information about them, including source code and readme files. Also install, configure, and deploy applications of your choosing. Publishing Applications (p. 3) Configure and upload applications to make them available to other developers, and publish new versions of applications. 1

6 Consuming Applications Consuming Applications and Publishing Applications Following, you can find information on how to consume and publish serverless applications through the AWS Serverless Application Repository. Topics Consuming Applications (p. 2) Publishing Applications (p. 3) Consuming Applications Following, you can find out how to find and deploy serverless applications that have been published to the AWS Serverless Application Repository. You can browse for applications that are publicly available without having an AWS account by visiting the public site. Alternatively, you can browse for applications from within the AWS Lambda console. Browsing, Searching, and Deploying Applications Find, configure, and deploy an application in the AWS Serverless Application Repository by using the following procedure. To find and configure an application in the AWS Serverless Application Repository 1. Open the AWS Serverless Application Repository public home page, or open the AWS Lambda console and choose Serverless Application Repository. 2. Browse or search for an application. 3. Choose an application to view details such as its capabilities and the number of times it has been deployed by AWS customers. The deployment counts are shown for the AWS Region in which you are trying to deploy the application. 4. On the application detail page, view the application's permissions and application resources by viewing the SAM template, license, and readme file. On this page, you can also find the Source code URL link for applications that are publicly shared. 5. Configure the application in the Configure application parameters section. For guidance on configuring a particular application, see that application s readme file. For example, configuration requirements might include specifying the name of a resource that you want the application to have access to. Such a resource might be an Amazon DynamoDB table, an Amazon S3 bucket, or an Amazon API Gateway API. 6. Choose Deploy. Doing this takes you to the Deployment status page. 7. On the Deployment status page, you can view the progress of your deployment. While waiting for your deployment to complete, you can search and browse for other applications, and return to this page through the Lambda console. After your application has been successfully deployed, you can review and manage the resources that have been created using existing AWS tools. 2

7 Deleting Application Stacks Deleting Application Stacks To delete an application that you previously deployed using the AWS Serverless Application Repository, follow the same procedure as for deleting an AWS CloudFormation stack: AWS Management Console: To delete an application using the AWS Management Console, see Deleting a Stack on the AWS CloudFormation Console in the AWS CloudFormation User Guide. AWS CLI: To delete an application using the AWS CLI, see Deleting a Stack in the AWS CloudFormation User Guide. Publishing Applications Following, you can find how to make your serverless applications available for others to find and deploy. You can publish serverless applications by using the AWS Management Console, the AWS Command Line Interface (AWS CLI), or an AWS SDK. To publish an application, you first upload the application code. You also upload a simple manifest file, also known as an AWS Serverless Application Model (AWS SAM) template. For more information about using AWS SAM, see Using the AWS Serverless Application Model (AWS SAM) (p. 6). Note To make the serverless applications that you publish available to developers in other AWS Regions, publish your applications to either US East (N. Virginia) (us-east-1) or US East (Ohio) (us-east-2). Publishing your application in any other AWS Region restricts its availability to that AWS Region. For more information about AWS Serverless Application Repository regions and endpoints, see Regions and Endpoints in the AWS General Reference. Before you publish an application to the AWS Serverless Application Repository, you need the following: A valid AWS account. A valid AWS Serverless Application Model (AWS SAM) template that defines the AWS resources used. For more information about AWS SAM, see AWS Serverless Application Model (AWS SAM). A package for your application that you created using the AWS CloudFormation package command for the AWS CLI. This command packages the local artifacts (local paths) that your AWS SAM template references. For more details, see package in the AWS CloudFormation documentation. A URL pointing to your application's source code, in case you want to publish your application publicly. A readme.txt file. This file should describe how customers can use your application, and how to configure it before deploying it in their own AWS accounts. A license.txt file. A valid Amazon S3 bucket policy that grants the service read permissions for artifacts uploaded to Amazon S3 when you packaged your application. Following is an example of such a policy. "Version": " ", "Statement": [ "Effect": "Allow", "Principal": "Service": "serverlessrepo.amazonaws.com", "Action": "s3:getobject", "Resource": "arn:aws:s3:::<your-bucket-name>/*" 3

8 Publishing an Application Through the AWS Management Console Note The information that you enter when publishing an application is not encrypted. This information includes such data as the author name, location, and contact information. If you have personally identifiable information that you don't want to be stored or made public, we recommend that you don't enter this information when publishing your application. Publishing an Application Through the AWS Management Console You can create and publish an application through the AWS Management Console as described following. Creating a New Application Through the Console Create a new application in the AWS Serverless Application Repository by using the following procedure. To create a new application in the AWS Serverless Application Repository 1. Open the AWS Serverless Application Repository console and choose Publish applications. 2. On the Publish an application page, type the indicated application information into the following boxes: Application Name Author Description Search labels (space delimited) SPDX license Readme.txt file Semantic version Source code URL (required only for publicly shared applications) AWS SAM template file 3. Choose Publish application. Sharing an Application Through the Console Make your application publicly available using the following procedure. To make your application publicly available 1. Open the AWS Serverless Application Repository console. 2. On the navigation pane, choose My Applications to bring up the list of applications that you have created. 3. Choose the application that you want to share. 4. In the Application Details section, move the Visibility slider to Application is public. Publishing a New Version of an Existing Application Through the Console Publish a new version of an application that you already created using the following procedure. 4

9 Publishing an Application Through the AWS CLI To publish a new version of an application 1. Open the AWS Serverless Application Repository console. 2. On the navigation pane, choose My Applications to bring up the list of applications that you have created. 3. Choose the application that you want to publish a new version for. 4. Choose Publish new version. 5. For AWS SAM template file, type the name of the new AWS SAM template file for this version. 6. Choose Publish. Publishing an Application Through the AWS CLI You can create and publish an application through the AWS CLI as described following. Creating a New Application Through the AWS CLI To create a new application using the AWS CLI, first gather the same items required for publishing through the AWS Management Console, described preceding. Then use the aws serverlessrepo create-application function, passing it each of these items as parameters. For more information about the parameters to be passed to this function, type aws serverlessrepo create-application help at the AWS CLI. Sharing an Application Through the AWS CLI To make your application publicly available using the AWS CLI, you can use the aws serverlessrepo put-application-policy function, passing the application ID and policy statement as parameters. For more information about the parameters to be passed to this function, type aws serverlessrepo put-application-policy help at the AWS CLI. Publishing a New Version of an Existing Application Through the AWS CLI To create a new version of an application using the AWS CLI, you can use the aws serverlessrepo create-application-version function. You pass as parameters the application ID, semantic version, new SAM template, and source code URL. For more information about the parameters to be passed to this function, type aws serverlessrepo create-application-version help at the AWS CLI. Deleting an Application Through the AWS Management Console To delete a published application through the AWS Management Console, do the following. 1. Open the AWS Serverless Application Repository console. 2. For My Applications, choose the application that you want to delete. 3. In the application's detail page, choose Delete application. A message appears. 5

10 Deleting an Application Through the AWS CLI 4. Choose Delete application to complete the deletion. Deleting an Application Through the AWS CLI To delete a published application using the AWS CLI, you run the aws serverlessrepo deleteapplication command. In the command, specify the application ID of the application that you want to delete. The following command deletes an application, where <value> is the application ID: PROMPT> aws serverlessrepo delete-application --application-id <value> Using the AWS Serverless Application Model (AWS SAM) The AWS Serverless Application Model (AWS SAM) is a model that defines serverless applications. AWS SAM is natively supported by AWS CloudFormation and defines a simplified syntax for expressing serverless resources. The specification currently covers API operations, AWS Lambda functions, and Amazon DynamoDB tables. The specification is available under Apache 2.0 for AWS partners and customers to adopt and extend within their own tool sets. For details on the specification, see AWS Serverless Application Model. AWS SAM supports special resource types that simplify how to express functions, API operations, mappings, and DynamoDB tables for serverless applications. AWS SAM also supports certain other features for these services, such as environment variables. The AWS CloudFormation description of these resources conforms to the AWS Serverless Application Model. To deploy your application, specify the resources that you need as part of your application. You specify these along with their associated permissions policies in an AWS CloudFormation template file (written in either JSON or YAML). You then package your deployment artifacts, and deploy the template. The sections below list the AWS Resources and Policy Templates currently supported by AWS Serverless Application Repository. Supported AWS Resources in the AWS Serverless Application Repository Serverless applications that you publish to the AWS Serverless Application Repository can include additional AWS CloudFormation resources. Below is a complete list of supported AWS Resources. If you would like to request an additional AWS Resource to be supported, please contact AWS Support. AWS::Serverless::Function AWS::Serverless::Api AWS::Serverless::SimpleTable AWS::Lambda::Alias AWS::Lambda::Version AWS::Lambda::EventSourceMapping AWS::ApiGateway::Account AWS::ApiGateway::ApiKey AWS::ApiGateway::Authorizer AWS::ApiGateway::BasePathMapping 6

11 Using the AWS Serverless Application Model (AWS SAM) AWS::ApiGateway::ClientCertificate AWS::ApiGateway::Deployment AWS::ApiGateway::DocumentationPart AWS::ApiGateway::DocumentationVersion AWS::ApiGateway::DomainName AWS::ApiGateway::GatewayResponse AWS::ApiGateway::Method AWS::ApiGateway::Model AWS::ApiGateway::RequestValidator AWS::ApiGateway::Resource AWS::ApiGateway::RestApi AWS::ApiGateway::Stage AWS::ApiGateway::UsagePlan AWS::ApiGateway::UsagePlanKey AWS::Cognito::IdentityPool AWS::Cognito::UserPool AWS::Cognito::UserPoolClient AWS::Cognito::UserPoolGroup AWS::Cognito::UserPoolUser AWS::Cognito::UserPoolUserToGroupAttachment AWS::DynamoDB::Table AWS::Logs::Destination AWS::Logs::LogGroup AWS::Logs::LogStream AWS::Logs::MetricFilter AWS::Logs::SubscriptionFilter AWS::Kinesis::Streams AWS::S3::Bucket AWS::SNS::Subscription AWS::SNS::Topic AWS::SQS::Queue AWS::CloudWatch::Alarm AWS::CloudWatch::Dashboard Policy Templates When you add a serverless application to the AWS Serverless Application Repository, AWS SAM allows you to choose from a list of policy templates. When you choose one of these templates, your AWS Lambda functions are scoped to the resources that are used by your application. Below is the list of available policy templates, along with the permissions that are applied to each one. AWS SAM automatically populates the placeholder items (such as AWS Region and account ID) with the appropriate information. Important For applications published to the AWS Serverless Application Repository, you're only allowed to use the supported policy templates to extend the permissions for 7

12 Using the AWS Serverless Application Model (AWS SAM) AWS::Serverless::Function resources. Custom policies and AWS managed policies aren't allowed, and are rejected when the application is published to the AWS Serverless Application Repository. If you want to request a new policy template to be added, do the following: 1. Submit a pull request against the policy_templates.json source file in the develop branch of the AWS SAM GitHub project. You can find the source file here: policy_templates.json. 2. Submit an issue in the AWS SAM GitHub project that includes the reasons for your pull request and a link to the request. Use this link to submit a new issue: AWS Serverless Application Model: Issues. Examples There are two AWS SAM template examples in this section, one with a policy template that includes placeholder values, and one that does not include placeholder values. Example 1: Policy template with placeholder values The following example shows that the SQSPollerPolicy policy template expects a QueueName as a resource. The AWS SAM template retrieves the name of the"myqueue" Amazon SQS queue, which can be created in the same application or requested as a parameter to the application. MyFunction: Type: 'AWS::Serverless::Function' Properties: CodeUri: $codeuri Handler: hello.handler Runtime: python2.7 Policies: - SQSPollerPolicy: QueueName:!GetAtt MyQueue.QueueName Example 2: Policy template with no placeholder values The following example contains the CloudWatchPutMetricPolicy policy template, which has no placeholder values. MyFunction: Type: 'AWS::Serverless::Function' Properties: CodeUri: $codeuri Handler: hello.handler Runtime: python2.7 Policies: - CloudWatchPutMetricPolicy: SQSPollerPolicy: Gives Permissions to Poll an Amazon SQS Queue "Statement": [ "Effect": "Allow", 8

13 Using the AWS Serverless Application Model (AWS SAM) "Action": [ "sqs:changemessagevisibility", "sqs:changemessagevisibilitybatch", "sqs:deletemessage", "sqs:deletemessagebatch", "sqs:getqueueattributes", "sqs:receivemessage", "Resource": "Fn::Sub": [ "arn:$aws::partition:sqs:$aws::region:$aws::accountid:$queuename", "queuename": "Ref": "QueueName" LambdaInvokePolicy: Gives Permission to Invoke a Lambda Function, Alias, or Version "Statement": [ "Effect": "Allow", "Action": [ "lambda:invokefunction", "Resource": "Fn::Sub": [ "arn:$aws::partition:lambda:$aws::region:$aws::accountid:function: $functionname*", "functionname": "Ref": "FunctionName" CloudWatchPutMetricPolicy: Gives Permissions to Put Metrics to CloudWatch "Statement": [ "Effect": "Allow", "Action": [ "cloudwatch:putmetricdata", "Resource": "*" 9

14 Using the AWS Serverless Application Model (AWS SAM) EC2DescribePolicy: Gives Permission to Describe Amazon EC2 Instances "Statement": [ "Effect": "Allow", "Action": [ "ec2:describeregions", "ec2:describeinstances", "Resource": "*" DynamoDBCrudPolicy: Gives Create/Read/Update/Delete Permissions to a DynamoDB Table "Statement": [ "Effect": "Allow", "Action": [ "dynamodb:getitem", "dynamodb:deleteitem", "dynamodb:putitem", "dynamodb:scan", "dynamodb:query", "dynamodb:updateitem", "dynamodb:batchwriteitem", "dynamodb:batchgetitem", "Resource": "Fn::Sub": [ "arn:$aws::partition:dynamodb:$aws::region:$aws::accountid:table/ $tablename", "tablename": "Ref": "TableName" DynamoDBReadPolicy: Gives Read-Only Access to a DynamoDB Table "Statement": [ "Effect": "Allow", "Action": [ 10

15 Using the AWS Serverless Application Model (AWS SAM) "dynamodb:getitem", "dynamodb:scan", "dynamodb:query", "dynamodb:batchgetitem", "Resource": "Fn::Sub": [ "arn:$aws::partition:dynamodb:$aws::region:$aws::accountid:table/ $tablename", "tablename": "Ref": "TableName" SESSendBouncePolicy: Gives SendBounce Permission to an Amazon SES Identity "Statement": [ "Effect": "Allow", "Action": [ "ses:sendbounce", "Resource": "Fn::Sub": [ "arn:$aws::partition:ses:$aws::region:$aws::accountid:identity/ $identityname", "identityname": "Ref": "IdentityName" ElasticsearchHttpPostPolicy: Gives POST Permissions to Amazon Elasticsearch Service "Statement": [ "Effect": "Allow", "Action": [ "es:eshttppost", "Resource": "Fn::Sub": [ "arn:$aws::partition:es:$aws::region:$aws::accountid:domain/ $domainname", 11

16 Using the AWS Serverless Application Model (AWS SAM) "domainname": "Ref": "DomainName" S3ReadPolicy: Gives Read Permissions to Objects in the Amazon S3 Bucket "Statement": [ "Effect": "Allow", "Action": [ "s3:getobject", "s3:listbucket", "s3:getbucketlocation", "s3:getobjectversion", "s3:getlifecycleconfiguration", "Resource": [ "Fn::Sub": [ "arn:$aws::partition:s3:::$bucketname", "bucketname": "Ref": "BucketName", "Fn::Sub": [ "arn:$aws::partition:s3:::$bucketname/*", "bucketname": "Ref": "BucketName" S3CrudPolicy: Gives Create/Read/Update Permissions to Objects in the Amazon S3 Bucket "Statement": [ "Effect": "Allow", "Action": [ "s3:getobject", "s3:listbucket", 12

17 Using the AWS Serverless Application Model (AWS SAM) "s3:getbucketlocation", "s3:getobjectversion", "s3:putobject", "s3:getlifecycleconfiguration", "s3:putlifecycleconfiguration", "Resource": [ "Fn::Sub": [ "arn:$aws::partition:s3:::$bucketname", "bucketname": "Ref": "BucketName", "Fn::Sub": [ "arn:$aws::partition:s3:::$bucketname/*", "bucketname": "Ref": "BucketName" AMIDescribePolicy: Gives Permissions to Describe Amazon Machine Images (AMIs) *" "Statement": [ "Effect": "Allow", "Action": [ "ec2:describeimages", "Resource": "Fn::Sub": "arn:$aws::partition:ec2:$aws::region:$aws::accountid:image/ CloudFormationDescribeStacksPolicy: Gives Permission to Describe AWS CloudFormation Stacks "Statement": [ "Effect": "Allow", "Action": [ "cloudformation:describestacks", 13

18 Using the AWS Serverless Application Model (AWS SAM) "Resource": "Fn::Sub": "arn:$aws::partition:cloudformation:$aws::region: $AWS::AccountId:stack/*" RekognitionNoDataAccessPolicy: Gives Permission to Compare and Detect Faces and Labels "Statement": [ "Effect": "Allow", "Action": [ "rekognition:comparefaces", "rekognition:detectfaces", "rekognition:detectlabels", "rekognition:detectmoderationlabels", "Resource": "Fn::Sub": [ "arn:$aws::partition:rekognition:$aws::region: $AWS::AccountId:collection/$collectionId", "collectionid": "Ref": "CollectionId" RekognitionReadPolicy: Gives Permission to List and Search Faces "Statement": [ "Effect": "Allow", "Action": [ "rekognition:listcollections", "rekognition:listfaces", "rekognition:searchfaces", "rekognition:searchfacesbyimage", "Resource": "Fn::Sub": [ "arn:$aws::partition:rekognition:$aws::region: $AWS::AccountId:collection/$collectionId", "collectionid": "Ref": "CollectionId" 14

19 Using the AWS Serverless Application Model (AWS SAM) RekognitionWriteOnlyAccessPolicy: Gives Permission to Create Collection and Index Faces "Statement": [ "Effect": "Allow", "Action": [ "rekognition:createcollection", "rekognition:indexfaces", "Resource": "Fn::Sub": [ "arn:$aws::partition:rekognition:$aws::region: $AWS::AccountId:collection/$collectionId", "collectionid": "Ref": "CollectionId" SQSSendMessagePolicy: Gives Permission to Send Message to Amazon SQS Queue "Statement": [ "Effect": "Allow", "Action": [ "sqs:sendmessage*", "Resource": "Fn::Sub": [ "arn:$aws::partition:sqs:$aws::region:$aws::accountid:$queuename", "queuename": "Ref": "QueueName" SNSPublishMessagePolicy: Gives Permission to Publish a Message to an Amazon SNS Topic 15

20 Using the AWS Serverless Application Model (AWS SAM) "Statement": [ "Effect": "Allow", "Action": [ "sns:publish", "Resource": "Fn::Sub": [ "arn:$aws::partition:sns:$aws::region:$aws::accountid:$topicname", "topicname": "Ref": "TopicName" VPCAccessPolicy: Gives Access to Create, Delete, Describe, and Detach Elastic Network Interfaces "Statement": [ "Effect": "Allow", "Action": [ "ec2:createnetworkinterface", "ec2:deletenetworkinterface", "ec2:describenetworkinterfaces", "ec2:detachnetworkinterface", "Resource": "*" DynamoDBStreamReadPolicy: Gives Permission to Describe and Read a DynamoDB Stream and Records "Statement": [ "Effect": "Allow", "Action": [ "dynamodb:describestream", "dynamodb:getrecords", "dynamodb:getsharditerator", "dynamodb:liststreams", "Resource": "Fn::Sub": [ "arn:$aws::partition:dynamodb:$aws::region:$aws::accountid:table/ $tablename/$streamname", "tablename": "Ref": "TableName", "streamname": 16

21 Using the AWS Serverless Application Model (AWS SAM) "Ref": "StreamName" KinesisStreamReadPolicy: Gives Permission to List and Read an Amazon Kinesis Stream "Statement": [ "Effect": "Allow", "Action": [ "kinesis:liststreams", "kinesis:describelimits", "Resource": "Fn::Sub": "arn:$aws::partition:kinesis:$aws::region: $AWS::AccountId:stream/*", "Effect": "Allow", "Action": [ "kinesis:describestream", "kinesis:getrecords", "kinesis:getsharditerator", "Resource": "Fn::Sub": [ "arn:$aws::partition:kinesis:$aws::region:$aws::accountid:stream/ $streamname", "streamname": "Ref": "StreamName" SESCrudPolicy: Gives Permission to Send and Verify Identity "Statement": [ "Effect": "Allow", "Action": [ "ses:getidentityverificationattributes", "ses:send ", "ses:verify identity", "Resource": 17

22 Using the AWS Serverless Application Model (AWS SAM) "Fn::Sub": [ "arn:$aws::partition:ses:$aws::region:$aws::accountid:identity/ $identityname", "identityname": "Ref": "IdentityName" SNSCrudPolicy: Gives Permissions to Create, Publish, and Subscribe to Amazon SNS Topics "Statement": [ "Effect": "Allow", "Action": [ "sns:listsubscriptionsbytopic", "sns:createtopic", "sns:settopicattributes", "sns:subscribe", "sns:publish", "Resource": "Fn::Sub": [ "arn:$aws::partition:sns:$aws::region:$aws::accountid:$topicname*", "topicname": "Ref": "TopicName" KinesisCrudPolicy: Gives Permission to Create, Publish, and Delete an Amazon Kinesis Stream "Statement": [ "Effect": "Allow", "Action": [ "kinesis:addtagstostream", "kinesis:createstream", "kinesis:decreasestreamretentionperiod", "kinesis:deletestream", "kinesis:describestream", "kinesis:getsharditerator", "kinesis:increasestreamretentionperiod", "kinesis:listtagsforstream", "kinesis:mergeshards", "kinesis:putrecord", 18

23 Using the AWS Serverless Application Model (AWS SAM) "kinesis:putrecords", "kinesis:splitshard", "kinesis:removetagsfromstream", "Resource": "Fn::Sub": [ "arn:$aws::partition:kinesis:$aws::region:$aws::accountid:stream/ $streamname", "streamname": "Ref": "StreamName" KMSDecryptPolicy: Gives Permission to Decrypt with an AWS KMS Key "Statement": [ "Action": "kms:decrypt", "Effect": "Allow", "Resource": "Fn::Sub": [ "arn:$aws::partition:kms:$aws::region:$aws::accountid:key/$keyid", "keyid": "Ref": "KeyId" PollyFullAccessPolicy: Gives full access permissions to Amazon Polly lexicon resources "Statement": [ "Effect": "Allow", "Action": [ "polly:getlexicon", "polly:deletelexicon", "Resource": [ "Fn::Sub": [ "arn:$aws::partition:polly:$aws::region:$aws::accountid:lexicon/ $lexiconname", "lexiconname": "Ref": "LexiconName" 19

24 Using the AWS Serverless Application Model (AWS SAM), "Effect": "Allow", "Action": [ "polly:describevoices", "polly:listlexicons", "polly:putlexicon", "polly:synthesizespeech", "Resource": [ "Fn::Sub": "arn:$aws::partition:polly:$aws::region: $AWS::AccountId:lexicon/*" S3FullAccessPolicy: Gives full access permissions to objects in the Amazon S3 Bucket "Statement": [ "Effect": "Allow", "Action": [ "s3:getobject", "s3:getobjectacl", "s3:getobjectversion", "s3:putobject", "s3:putobjectacl", "s3:deleteobject", "Resource": [ "Fn::Sub": [ "arn:$aws::partition:s3:::$bucketname/*", "bucketname": "Ref": "BucketName", "Effect": "Allow", "Action": [ "s3:listbucket", "s3:getbucketlocation", "s3:getlifecycleconfiguration", "s3:putlifecycleconfiguration", "Resource": [ "Fn::Sub": [ 20

25 Using the AWS Serverless Application Model (AWS SAM) "arn:$aws::partition:s3:::$bucketname", "bucketname": "Ref": "BucketName" CodePipelineLambdaExecutionPolicy: Gives permission for a Lambda function invoked by AWS CodePipeline to report back status of the job "Statement": [ "Effect": "Allow", "Action": [ "codepipeline:putjobsuccessresult", "codepipeline:putjobfailureresult", "Resource": [ "Fn::Sub": "arn:$aws::partition:codepipeline:$aws::region: $AWS::AccountId:*" ServerlessRepoReadWriteAccessPolicy: Gives access permissions to create and list applications in the AWS Serverless Application Repository service "Statement": [ "Effect": "Allow", "Action": [ "serverlessrepo:createapplication", "serverlessrepo:createapplicationversion", "serverlessrepo:getapplication", "serverlessrepo:listapplications", "serverlessrepo:listapplicationversions", "Resource": [ "Fn::Sub": "arn:$aws::partition:serverlessrepo:$aws::region: $AWS::AccountId:applications/*" 21

26 Using the AWS Serverless Application Model (AWS SAM) EC2CopyImagePolicy: Gives permission to copy Amazon EC2 Images "Statement": [ "Effect": "Allow", "Action": [ "ec2:copyimage", "Resource": "Fn::Sub": [ "arn:$aws::partition:ec2:$aws::region:$aws::accountid:image/ $imageid", "imageid": "Ref": "ImageId" AWSSecretsManagerRotationPolicy: Grants permissions to APIs required to rotate a secret in AWS Secrets Manager "Statement": [ "Effect": "Allow", "Action": [ "secretsmanager:describesecret", "secretsmanager:getsecretvalue", "secretsmanager:putsecretvalue", "secretsmanager:updatesecretversionstage", "Resource": "Fn::Sub": "arn:$aws::partition:secretsmanager:$aws::region: $AWS::AccountId:secret:*", "Condition": "StringEquals": "secretsmanager:resource/allowrotationlambdaarn": "Fn::Sub": [ "arn:$aws::partition:lambda:$aws::region: $AWS::AccountId:function:$functionName", "functionname": "Ref": "FunctionName", 22

27 Using the AWS Serverless Application Model (AWS SAM) "Effect": "Allow", "Action": [ "secretsmanager:getrandompassword", "Resource": "*" CodePipelineReadOnlyPolicy: Gives read permissions to get details about a CodePipeline pipeline "Statement": [ "Effect": "Allow", "Action": [ "cloudwatch:getdashboard", "cloudwatch:listdashboards", "cloudwatch:putdashboard", "cloudwatch:listmetrics", "Resource": "*" RekognitionFacesPolicy: Gives permission to compare and detect faces and labels "Statement": [ "Effect": "Allow", "Action": [ "rekognition:comparefaces", "rekognition:detectfaces", "Resource": "Fn::Sub": [ "arn:$aws::partition:rekognition:$aws::region: $AWS::AccountId:collection/$collectionId", "collectionid": "Ref": "CollectionId" RekognitionLabelsPolicy: Gives permission to compare and detect faces and labels "Statement": [ "Effect": "Allow", 23

28 Using the AWS Serverless Application Model (AWS SAM) "Action": [ "rekognition:detectlabels", "rekognition:detectmoderationlabels", "Resource": "*" DynamoDBBackupFullAccessPolicy: Gives read/write permissions to DynamoDB on-demand backups for a table "Statement": [ "Effect": "Allow", "Action": [ "dynamodb:createbackup", "dynamodb:describecontinuousbackups", "Resource": "Fn::Sub": [ "arn:$aws::partition:dynamodb:$aws::region:$aws::accountid:table/ $tablename", "tablename": "Ref": "TableName", "Effect": "Allow", "Action": [ "dynamodb:deletebackup", "dynamodb:describebackup", "dynamodb:listbackups", "Resource": "Fn::Sub": [ "arn:$aws::partition:dynamodb:$aws::region:$aws::accountid:table/ $tablename/backup/*", "tablename": "Ref": "TableName" DynamoDBRestoreFromBackupPolicy: Gives permissions to restore a table from backup "Statement": [ "Effect": "Allow", "Action": [ 24

29 Using the AWS Serverless Application Model (AWS SAM) "dynamodb:restoretablefrombackup", "Resource": "Fn::Sub": [ "arn:$aws::partition:dynamodb:$aws::region:$aws::accountid:table/ $tablename/backup/*", "tablename": "Ref": "TableName", "Effect": "Allow", "Action": [ "dynamodb:putitem", "dynamodb:updateitem", "dynamodb:deleteitem", "dynamodb:getitem", "dynamodb:query", "dynamodb:scan", "dynamodb:batchwriteitem", "Resource": "Fn::Sub": [ "arn:$aws::partition:dynamodb:$aws::region:$aws::accountid:table/ $tablename", "tablename": "Ref": "TableName" ComprehendBasicAccessPolicy: Gives access to Amazon Comprehend APIs for detecting entities, key phrases, languages and sentiments "Statement": [ "Effect": "Allow", "Action": [ "comprehend:batchdetectkeyphrases", "comprehend:detectdominantlanguage", "comprehend:detectentities", "comprehend:batchdetectentities", "comprehend:detectkeyphrases", "comprehend:detectsentiment", "comprehend:batchdetectdominantlanguage", "comprehend:batchdetectsentiment", "Resource": "*" 25

30 Using the AWS Serverless Application Model (AWS SAM) MobileAnalyticsWriteOnlyAccessPolicy: Gives write only permissions to put event data for all application resources "Statement": [ "Effect": "Allow", "Action": [ "mobileanalytics:putevents", "Resource": "*" PinpointEndpointAccessPolicy: Gives permissions to get and update endpoints for a Pinpoint application "Statement": [ "Effect": "Allow", "Action": [ "mobiletargeting:getendpoint", "mobiletargeting:updateendpoint", "mobiletargeting:updateendpointsbatch", "Resource": "Fn::Sub": [ "arn:$aws::partition:mobiletargeting:$aws::region: $AWS::AccountId:apps/$pinpointApplicationId/endpoints/*", "pinpointapplicationid": "Ref": "PinpointApplicationId" FirehoseWritePolicy: Gives permission to write to a Kinesis Firehose Delivery Stream "Statement": [ "Effect": "Allow", "Action": [ "firehose:putrecord", "firehose:putrecordbatch", "Resource": "Fn::Sub": [ "arn:$aws::partition:firehose:$aws::region: $AWS::AccountId:deliverystream/$deliveryStreamName", 26

31 Using the AWS Serverless Application Model (AWS SAM) "deliverystreamname": "Ref": "DeliveryStreamName" FirehoseCrudPolicy: Gives permission to create, write to, update, and delete a Kinesis Firehose Delivery Stream "Statement": [ "Effect": "Allow", "Action": [ "firehose:createdeliverystream", "firehose:deletedeliverystream", "firehose:describedeliverystream", "firehose:putrecord", "firehose:putrecordbatch", "firehose:updatedestination", "Resource": "Fn::Sub": [ "arn:$aws::partition:firehose:$aws::region: $AWS::AccountId:deliverystream/$deliveryStreamName", "deliverystreamname": "Ref": "DeliveryStreamName" 27

32 Authentication Authentication and Access Control for AWS Serverless Application Repository Access to AWS Serverless Application Repository requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to access AWS resources, such as an AWS Serverless Application Repository application. In the following sections, you can find details on how to use AWS Identity and Access Management (IAM) and AWS Serverless Application Repository to help AWS secure your resources by controlling who can access them: Authentication (p. 28) Access Control (p. 29) Authentication You can access AWS as any of the following types of identities: AWS account root user When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the address and password that you used to create the account. We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. IAM user An IAM user is an identity within your AWS account that has specific custom permissions (for example, permissions to create an application in AWS Serverless Application Repository). You can use an IAM user name and password to sign in to secure AWS webpages like the AWS Management Console, AWS Discussion Forums, or the AWS Support Center. In addition to a user name and password, you can also generate access keys for each user. You can use these keys when you access AWS services programmatically, either through one of the several SDKs or by using the AWS Command Line Interface (CLI). The SDK and CLI tools use the access keys to cryptographically sign your request. If you don t use AWS tools, you must sign the request yourself. AWS Serverless Application Repository supports Signature Version 4, a protocol for authenticating inbound API requests. For more information about authenticating requests, see Signature Version 4 Signing Process in the AWS General Reference. IAM role An IAM role is an IAM identity that you can create in your account that has specific permissions. It is similar to an IAM user, but it is not associated with a specific person. An IAM role enables you to obtain temporary access keys that can be used to access AWS services and resources. IAM roles with temporary credentials are useful in the following situations: 28

33 Access Control Federated user access Instead of creating an IAM user, you can use existing user identities from AWS Directory Service, your enterprise user directory, or a web identity provider. These are known as federated users. AWS assigns a role to a federated user when access is requested through an identity provider. For more information about federated users, see Federated Users and Roles in the IAM User Guide. AWS service access You can use an IAM role in your account to grant an AWS service permissions to access your account s resources. For example, you can create a role that allows Amazon Redshift to access an Amazon S3 bucket on your behalf and then load data from that bucket into an Amazon Redshift cluster. For more information, see Creating a Role to Delegate Permissions to an AWS Service in the IAM User Guide. Applications running on Amazon EC2 You can use an IAM role to manage temporary credentials for applications that are running on an EC2 instance and making AWS API requests. This is preferable to storing access keys within the EC2 instance. To assign an AWS role to an EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance. An instance profile contains the role and enables programs that are running on the EC2 instance to get temporary credentials. For more information, see Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances in the IAM User Guide. Access Control You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access AWS Serverless Application Repository resources. For example, as a publisher you must have permissions to create an AWS Serverless Application Repository application, update application metadata, and publish a new version of an application. As another example, as a consumer you must have permissions to search for, view the details of, and deploy applications. The following sections describe how to manage permissions for AWS Serverless Application Repository. We recommend that you read the overview first. Overview of Managing Access Permissions to Your AWS Serverless Application Repository Resources (p. 29) Using Identity-Based Policies (IAM Policies) for AWS Serverless Application Repository (p. 33) Using Resource-Based Policies for AWS Serverless Application Repository (Application Policies) (p. 37) Overview of Managing Access Permissions to Your AWS Serverless Application Repository Resources Every AWS resource is owned by an AWS account, and permissions to create or access an AWS resource are governed by permissions policies. An account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles). Also, some services (such as AWS Serverless Application Repository) support attaching permissions policies to AWS resources. Note An account administrator (or administrator user) is a user with administrator privileges. For more information, see IAM Best Practices in the IAM User Guide. 29

34 AWS Serverless Application Repository Resources and Operations When granting permissions, you decide who is getting the permissions, the AWS resources they get permissions for, and the specific actions that you want to allow on those AWS resources. Topics AWS Serverless Application Repository Resources and Operations (p. 30) Understanding Resource Ownership (p. 30) Managing Access to AWS Resources (p. 30) Specifying Policy Elements: Actions, Effects, AWS Resources, and Principals (p. 32) AWS Serverless Application Repository Resources and Operations In AWS Serverless Application Repository, the primary AWS resource is an AWS Serverless Application Repository application. AWS Serverless Application Repository applications have unique Amazon Resource Names (ARNs) associated with them as shown in the following table. AWS Resource Type Application Amazon Resource Name (ARN) Format arn:aws:serverlessrepo:region:accountid:applications/application-name AWS Serverless Application Repository provides a set of operations to work with the AWS Serverless Application Repository resources. For a list of available operations, see Resources (p. 48). Understanding Resource Ownership An AWS resource owner is the AWS account that created the AWS resource. That is, the AWS resource owner is the AWS account of the principal entity (the root account, an IAM user, or an IAM role) that authenticates the request that creates the AWS resource. The following examples illustrate how this works: If you use the root account credentials of your AWS account to create an AWS Serverless Application Repository application, your AWS account is the owner of the AWS resource. In AWS Serverless Application Repository, the AWS resource is the application. If you create an IAM user in your AWS account and grant permissions to create an AWS Serverless Application Repository application to that user, the user can create an application. However, your AWS account, to which the user belongs, owns the AWS Serverless Application Repository application resource. If you create an IAM role in your AWS account with permissions to create an AWS Serverless Application Repository application, anyone who can assume the role can create an application. Your AWS account, to which the role belongs, owns the AWS Serverless Application Repository application resource. Managing Access to AWS Resources A permissions policy describes who has access to what. The following section explains the available options for creating permissions policies. 30

35 Managing Access to AWS Resources Note This section discusses using IAM in the context of AWS Serverless Application Repository. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see What Is IAM? in the IAM User Guide. For information about IAM policy syntax and descriptions, see AWS IAM Policy Reference in the IAM User Guide. Policies attached to an IAM identity are referred to as identity-based policies (IAM polices) and policies attached to an AWS resource are referred to as resource-based policies. AWS Serverless Application Repository supports both identity-based (IAM policies) and resource-based policies. Topics Identity-Based Policies (IAM Policies) (p. 31) Resource-Based Policies (AWS Serverless Application Repository Application Policies) (p. 32) Identity-Based Policies (IAM Policies) You can attach policies to IAM identities. For example, you can do the following: Attach a permissions policy to a user or a group in your account An account administrator can use a permissions policy that is associated with a particular user to grant permissions for that user to create an AWS Serverless Application Repository application. Attach a permissions policy to a role (grant cross-account permissions) You can attach an identity-based permissions policy to an IAM role to grant cross-account permissions. For example, the administrator in Account A can create a role to grant cross-account permissions to another AWS account (for example, Account B) or an AWS service as follows: 1. Account A administrator creates an IAM role and attaches a permissions policy to the role that grants permissions on AWS resources in Account A. 2. Account A administrator attaches a trust policy to the role identifying Account B as the principal who can assume the role. 3. Account B administrator can then delegate permissions to assume the role to any users in Account B. Doing this allows users in Account B to create or access AWS resources in Account A. The principal in the trust policy can also be an AWS service principal if you want to grant an AWS service permissions to assume the role. For more information about using IAM to delegate permissions, see Access Management in the IAM User Guide. The following is an example policy that grants permissions for the serverlessrepo:listapplications action on all AWS resources. In the current implementation, AWS Serverless Application Repository doesn't support identifying specific AWS resources using the AWS resource ARNs (also referred to as resource-level permissions) for some of the API actions. In these cases, you must specify a wildcard character (*). "Version": " ", "Statement": [ "Sid": "ListExistingApplications", "Effect": "Allow", "Action": [ "serverlessrepo:listapplications", "Resource": "*" 31

36 Specifying Policy Elements: Actions, Effects, AWS Resources, and Principals For more information about using identity-based policies with AWS Serverless Application Repository, see Using Identity-Based Policies (IAM Policies) for AWS Serverless Application Repository (p. 33). For more information about users, groups, roles, and permissions, see Identities (Users, Groups, and Roles) in the IAM User Guide. Resource-Based Policies (AWS Serverless Application Repository Application Policies) Each AWS Serverless Application Repository application can have resource-based permissions policies associated with it. For AWS Serverless Application Repository, an application is the primary AWS resource and these policies are referred to as AWS Serverless Application Repository application policies or simply application policies. For AWS Serverless Application Repository, you can use an application policy to allow another account to deploy applications you have published. You can either allow deployments by a specific list of accounts (private), or you can allow deployments to all other accounts (public). For more information about using resource-based policies with AWS Serverless Application Repository, see Using Resource-Based Policies for AWS Serverless Application Repository (Application Policies) (p. 37). For additional information about using IAM roles (identity-based policies) as opposed to resource-based policies, see How IAM Roles Differ from Resource-based Policies in the IAM User Guide. Specifying Policy Elements: Actions, Effects, AWS Resources, and Principals For each AWS Serverless Application Repository resource (see AWS Serverless Application Repository Resources and Operations (p. 30)), the service defines a set of API operations (see Resources (p. 48)). To grant permissions for these API operations, AWS Serverless Application Repository defines a set of actions that you can specify in a policy. Performing an API operation can require permissions for more than one action. When granting permissions for specific actions, you also identify the AWS resource on which the actions are allowed or denied. The following are the most basic policy elements. In AWS Serverless Application Repository, we recommend defining policies using these elements only with identity-based policies. Resource In a policy, you use an Amazon Resource Name (ARN) to identify the AWS resource to which the policy applies. For more information, see AWS Serverless Application Repository Resources and Operations (p. 30). Action You use action keywords to identify AWS resource operations that you want to allow or deny. For example, the serverlessrepo:createapplication permission allows the user permissions to perform the AWS Serverless Application Repository CreateApplication operation. Effect You specify the effect when the user requests the specific action this can be either allow or deny. If you don't explicitly grant access to (allow) an AWS resource, access is implicitly denied. You can also explicitly deny access to an AWS resource, which you might do to make sure that a user cannot access it, even if a different policy grants access. Principal In identity-based policies (IAM policies), the user that the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only). To learn more about IAM policy syntax and descriptions, see AWS IAM Policy Reference in the IAM User Guide. For a table showing all of the AWS Serverless Application Repository API actions and the AWS resources that they apply to, see AWS Serverless Application Repository API Permissions: Actions and Resources Reference (p. 39). 32