GITBOOK-735: No subject

2025-12-12 15:50:19 -08:00 · 2024-12-19 17:05:20 +00:00
parent fd78deddd6
commit 404cb0d4d6
1 changed files with 62 additions and 12 deletions
--- a/pentesting-ci-cd/serverless.com-security.md
+++ b/pentesting-ci-cd/serverless.com-security.md
@@ -241,12 +241,18 @@ functions:

 ```yaml
 provider:
-  iamRoleStatements:
-    - Effect: Allow
-      Action:
-        - dynamodb:Query
-        - dynamodb:Scan
-      Resource: arn:aws:dynamodb:${self:provider.region}:*:table/my-table
+  [...]
+  iam:
+    role:
+      statements:
+        - Effect: 'Allow'
+          Action:
+            - 'dynamodb:PutItem'
+            - 'dynamodb:Get*'
+            - 'dynamodb:Scan*'
+            - 'dynamodb:UpdateItem'
+            - 'dynamodb:DeleteItem'
+          Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
 ```

 </details>
@@ -535,18 +541,62 @@ resources:

 Overly permissive IAM roles can grant unauthorized access to cloud resources, leading to data breaches or resource manipulation.

+When no permissions are specified for the a Lambda function, a role with permissions only to generate logs will be created, like:
+
+<details>
+
+<summary>Minimum lambda permissions</summary>
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "logs:CreateLogStream",
+                "logs:CreateLogGroup",
+                "logs:TagResource"
+            ],
+            "Resource": [
+                "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*"
+            ],
+            "Effect": "Allow"
+        },
+        {
+            "Action": [
+                "logs:PutLogEvents"
+            ],
+            "Resource": [
+                "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*:*"
+            ],
+            "Effect": "Allow"
+        }
+    ]
+}
+```
+
+
+
+</details>
+
 #### **Mitigation Strategies**

 *   **Principle of Least Privilege:** Assign only necessary permissions to each function.

    ```yaml
    provider:
-      iamRoleStatements:
-        - Effect: Allow
-          Action:
-            - dynamodb:Query
-            - dynamodb:Scan
-          Resource: arn:aws:dynamodb:${self:provider.region}:*:table/my-table
+      [...]
+      iam:
+        role:
+          statements:
+            - Effect: 'Allow'
+              Action:
+                - 'dynamodb:PutItem'
+                - 'dynamodb:Get*'
+                - 'dynamodb:Scan*'
+                - 'dynamodb:UpdateItem'
+                - 'dynamodb:DeleteItem'
+              Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
    ```
 * **Use Separate Roles:** Differentiate roles based on function requirements.