Implement an AWSLambdaBasicExecutionRole with the least privilege principle

[azizur]

What did you implement:

Closes #6241 Implement an AWSLambdaBasicExecutionRole with the least privilege principle

How did you implement it:

• Take the default AWSLambdaBasicExecutionRole and reduce permission scope the function resources.
• Reduce duplications in resources list by combining multiple actions into a single policy statement.

How can we verify it:

Previously the inline policy would have looked something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:CreateLogStream"
      ],
      "Resource": [
        "arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT}:log-group:/aws/lambda/{stage}-{function-a}:*",
        "arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT}:log-group:/aws/lambda/{stage}-{function-b}:*",
        "arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT}:log-group:/aws/lambda/{stage}-{function-c}:*",
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT}:log-group:/aws/lambda/{stage}-{function-a}:*:*",
        "arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT}:log-group:/aws/lambda/{stage}-{function-b}:*:*",
        "arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT}:log-group:/aws/lambda/{stage}-{function-c}:*:*",
      ],
      "Effect": "Allow"
    }
  ]
}

Now

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT}:log-group:/aws/lambda/{stage}-{function-a}:*",
        "arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT}:log-group:/aws/lambda/{stage}-{function-b}:*",
        "arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT}:log-group:/aws/lambda/{stage}-{function-c}:*",
      ],
      "Effect": "Allow"
    }
  ]
}

Todos:

Note: Run npm run test-ci to run all validation checks on proposed changes

• Write tests and confirm existing functionality is not broken.
  Validate via npm test
• Write documentation
• Ensure there are no lint errors.
  Validate via npm run lint-updated
  Note: Some reported issues can be automatically fixed by running npm run lint:fix
• Ensure introduced changes match Prettier formatting.
  Validate via npm run prettier-check-updated
  Note: All reported issues can be automatically fixed by running npm run prettify-updated
• Make sure code coverage hasn't dropped
• Provide verification config / commands / resources
• Enable "Allow edits from maintainers" for this PR
• Update the messages below

Is this ready for review?: YES
Is it a breaking change?: NO

[evheniy]

Any news when it will be merged?

[pmuens]

Hey @azizur thanks a lot for working on this 👍

I just did a review and test today and everything works as expected.

I tested a fresh deployment and an "upgrade" deployment (deploying with the current master, then switching to your PR branch and re-deploying). Both worked without any problems.

I'd say this is GTM

@medikoo could you also take a quick look at this?

[medikoo]

Looks as great improvement.

Left one remark, as in previously merged PR, one of the changes proposed here, was rejected then (it'll be good to double ensure it's 100% safe)

Also I think it should not be marked to close #6241 as that one proposes we rely on AWS police directly, and here we're just reflecting permissions it sets up.

[medikoo]

Interesingly in #6241, it was assumed that resource definition for logs:CreateLogGroup and logs:PutLogEvents cannot be merged -> #6212 (comment)
(cc @rdsedmundo @pmuens )

I take, that after all they can be merged (so for logs:PutLogEvents, :* trailing can be stripped)

[rdsedmundo]

Yeah, I thought that it could be a problem, but if you tested and it worked without the :* we should be good.

[medikoo]

I didn't :)

@pmuens @azizur when testing, did you cover the case of creating new function, invoking it, and confirming that logs for it are visible in CloudWatch?

[azizur]

Hi everyone, this is my first PR, your feedback and support are really appreciated.

@medikoo I have not tested this specific scenario yet. I will test it and update in this thread.

[azizur]

I have tested it using this simple repo: https://github.com/azizur/serverless-pull-6692 a completely new project and it worked. I have previously tested with my existing project already, so there was no need to test again.

I have tested with additional modification too:

1. remove *:* from

   serverless/lib/plugins/aws/customResources/index.js

   Line 136 in 15dce40

   `:log-group:${logGroupsPrefix}*:*`,

It worked since it generated policy resource refrences like:

"arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT}:log-group:/aws/lambda/{function-a}-{stage}*:*"

Then I tried with additional modifications with mergeIamTemplates.js

1. remove :* from

   serverless/lib/plugins/aws/package/lib/mergeIamTemplates.js

   Line 104 in 15dce40

   `:log-group:${customFunctionNamelogGroupsPrefix}:*`,

2. remove *:* from

   serverless/lib/plugins/aws/package/lib/mergeIamTemplates.js

   Line 113 in 15dce40

   `:log-group:${logGroupsPrefix}*:*`,

It did NOT worked since it generated policy resource refrence like:~

"arn:aws:logs:{AWS_REGION}:{AWS_ACCOUNT}:log-group:/aws/lambda/{function-a}-{stage}"

I think we can go with the additional modifications in

serverless/lib/plugins/aws/customResources/index.js

Line 136 in 15dce40

`:log-group:${logGroupsPrefix}*:*`,

and it will work. Looking forward to feedback from others.

[azizur]

Apologies for change to my previous message. I did not fully understand all the test scenarios. I have now checked the following policies and I can confirm that:

"PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "logs:CreateLogGroup",
                    "logs:CreateLogStream",
                    "logs:PutLogEvents"
                  ],
                  "Resource": [
                    {
                      "Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/{function-a}*:*"
                    }
                  ]
                }
              ]
            }

Works:

• ✅ creates log groups
• ✅ creates log streams
• ✅ Log stream as logs entries. <<< This was missed from my above testing.

When I modified https://github.com/serverless/serverless/blob/15dce40ce0284cf04e4c92754e85118a81cfec47/lib/plugins/aws/package/lib/mergeIamTemplates.js Line 104 and Line 113 in 15dce40.

Works:

• ✅ creates log groups
• ✅ creates log streams

Did not work:

• ❌ Log stream as logs entries. <<< This was missed from my above testing.

[medikoo]

Great thanks @azizur for thorough check, we really appreciate it.

Let us know on final outcome.

[medikoo]

This one actually fixes #6698

[azizur]

DO NOT MERGE YET
I would like to simulate some of the policies in AWS Console to test out what might be a good policy.

[jameswoodley]

How we looking on this?

[azizur]

Apologies for the lack of update on this. I have got really busy week at work this week. Will try to take a look this weekend.

[jameswoodley]

@azizur not at all, thanks for taking the time!

[pmuens]

@azizur thanks again for taking the time to work on this! 👌 🥇

I don't want to hurry you and just want to check-in if you have any news on this PR.

Let us know if you need help with anything else or if we should take it from here.

[pmuens]

Just wanted to do another follow-up here. Were you able to make any progress on this PR @azizur? Do you need any help here?

Looks like the PR has some conflicts we need to resolve e.g. via a rebase.

[michelesr]

This looks like a very useful feature. Any reason it hasn't been merged yet?

[medikoo]

Taken in safer implementation at #7120