Managing Permissions with AWS SAM

Overview

The AWS Serverless Application Model (AWS SAM) simplifies the definition and deployment of serverless applications. When it comes to managing permissions between serverless resources, AWS SAM provides several mechanisms to ensure secure and well-scoped access control. Below is a breakdown of the options provided and the most appropriate way to manage permissions in a serverless application built with AWS SAM:

Options

• A. Custom IAM Policies or AWS Managed Policies within SAM Resources: AWS SAM allows the definition of IAM roles and policies directly within the SAM template...
• B. Custom Lambda Authorizers: Lambda authorizers are utilized to control access to APIs in API Gateway...
• C. Dedicated SAM Template for IAM Permissions: Creating a dedicated SAM template to manage all IAM permissions...
• D. SAM Connectors: SAM connectors (AWS::Serverless::Connector) provide a simplified way to grant permissions...

Answer

The most appropriate way to manage permissions in a serverless application built with AWS SAM would be to use SAM connectors (AWS::Serverless::Connector) wherever possible...

Managing Resource Access and Permissions

For the AWS resources of one's setup to interact with each other, it's imperative to configure the proper access and permissions between these resources. This necessitates the configuration of AWS Identity and Access Management (IAM) users, roles, and policies to ensure secure interactions. For more information, one can refer to the section on Controlling access with AWS Identity and Access Management in the AWS CloudFormation User Guide.

AWS Serverless Application Model (AWS SAM) Options

The AWS Serverless Application Model (AWS SAM) simplifies the management of access and permissions for serverless applications through two options:

• AWS SAM connectors
• AWS SAM policy templates

AWS SAM Connectors

Connectors serve as a means to provision permissions between two resources by describing their interaction within the AWS SAM template. They can be defined using either the Connectors resource attribute or AWS::Serverless::Connector resource type. These connectors facilitate the provisioning of Read and Write access of data and events between a combination of AWS resources. For further details on AWS SAM connectors, one can refer to the section on Managing resource permissions with AWS SAM connectors.

AWS SAM Policy Templates

AWS SAM policy templates are pre-defined sets of permissions that can be added to AWS SAM templates to manage access and permissions between AWS Lambda functions, AWS Step Functions state machines, and the resources they interact with. For more information on AWS SAM policy templates, one can refer to the section on AWS SAM policy templates.

AWS CloudFormation Mechanisms

AWS CloudFormation mechanisms encompass the configuring of IAM users, roles, and policies to manage permissions between AWS resources. For further details, one can refer to the section on Managing permissions with AWS CloudFormation mechanisms.

Best Practices

Across serverless applications, multiple methods can be employed to configure permissions between resources. Hence, the best option for each scenario can be selected, and multiple options can be utilized throughout the applications. Here are a few considerations when choosing the best option:

• Both AWS SAM connectors and policy templates diminish the IAM expertise needed to enable secure interactions between AWS resources. When supported, connectors and policy templates should be used.
• AWS SAM connectors offer a simple and intuitive short-hand syntax to define permissions in AWS SAM templates, requiring the least amount of IAM expertise. When both AWS SAM connectors and policy templates are supported, AWS SAM connectors should be used.
• AWS SAM connectors can provision Read and Write access of data and events between supported AWS SAM source and destination resources. For a list of supported resources, one can refer to the AWS SAM connector reference.
• While AWS SAM policy templates are limited to permissions between Lambda functions, Step Functions state machines, and the AWS resources they interact with, they do support all CRUD operations. When supported, and when an AWS SAM policy template for the scenario is available, AWS SAM policy templates should be used. For a list of available policy templates, one can refer to the AWS SAM policy templates.
• For all other scenarios, or when granularity is required, AWS CloudFormation mechanisms should be used.