Serverless Function Without Unique IAM Role

  • Query id: 165aae3b-a56a-48f3-b76d-d2b5083f5b8f
  • Query name: Serverless Function Without Unique IAM Role
  • Platform: ServerlessFW
  • Severity: High
  • Category: Insecure Configurations
  • CWE: 732
  • URL: Github

Description

Serverless Function should not share IAM Role to ensure it will have the minimum privileges needed to perform the required tasks
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yml file
service: service
frameworkVersion: '2' 
provider:
  name: aws
  runtime: nodejs12.x

functions:
  hello:
    handler: handler.hello
    onError: arn:aws:sns:us-east-1:XXXXXX:test
    tags:
      foo: bar
Positive test num. 2 - yml file
service: service
frameworkVersion: '2' 
provider:
  name: aws
  runtime: nodejs12.x

functions:
  - hello:
      handler: handler.hello
      onError: arn:aws:sns:us-east-1:XXXXXX:test
      tags:
        foo: bar

Code samples without security vulnerabilities

Negative test num. 1 - yml file
service: service
frameworkVersion: '2' 
provider:
  name: aws
  runtime: nodejs12.x

functions:
  hello:
    handler: handler.hello
    onError: arn:aws:sns:us-east-1:XXXXXX:test
    tags:
      foo: bar
    role: arn:aws:iam::XXXXXX:role/role
Negative test num. 2 - yml file
service: service
frameworkVersion: '2' 
provider:
  name: aws
  runtime: nodejs12.x

functions:
  - hello:
      handler: handler.hello
      onError: arn:aws:sns:us-east-1:XXXXXX:test
      tags:
        foo: bar
      role: arn:aws:iam::XXXXXX:role/role