Serverless plugin for least privileges.
Clone or download
Latest commit 8b01287 Oct 4, 2017
Type Name Latest commit message Commit time
Failed to load latest commit information.
src gen-roles: prepackage before executing CLI, fixes #9 Oct 3, 2017
.gitignore proper python dependency & execution, rename to serverless-puresec-cli Jun 28, 2017
LICENSE LICENSE, README, remove peer dependency Jul 4, 2017 Readme change (#11) Oct 4, 2017
package.json v1.2.0 Oct 4, 2017


serverless npm version


Serverless plugin for PureSec CLI.


  • Saves you time - magically creates IAM roles for you
  • Reduces the attack surface of your AWS Lambda based application
  • Helps create least privileged roles with the minimum required permissions
  • Currently supported runtimes: Node.js, Python (more runtimes coming soon...)
  • Currently supported services: DynamoDB, Kinesis, KMS, Lambda, S3, SES, SNS & Step Functions
  • Works with the Serverless Framework


  • Python 3.4+
  • NodeJS 6+

Quick Start

1. Install via npm:

npm install --save-dev serverless-puresec-cli

2. Add serverless-puresec-cli to your serverless.yml:

In your project's serverless.yml file add the following entry to the plugins section: serverless-puresec-cli. If there is no plugin section you will need to add it to the file.

It should look similar to this:

  - serverless-puresec-cli

3. Validate:

You can check wether you have successfully installed the plugin by running the serverless command line.


the console should display puresec as one of the plugins now available in your Serverless project.

4. Start using the tool:

Generate the IAM role for your function.

serverless puresec gen-roles --function myFunction

After receiving the IAM role in the output of the tool:

  1. Validate the role. Make sure you have all the required permissions and only them.
  2. Copy-paste it to the Resources section in your serverless.yml file.
  3. Connect the generated Role by adding the role property to your function in the serverless.yml.

5. You can also execute the tool on the entire project:

serverless puresec gen-roles