AWS SAM policy templates
The AWS Serverless Application Model (AWS SAM) allows you to choose from a list of policy templates to scope the permissions of your Lambda functions and AWS Step Functions state machines to the resources that are used by your application.
AWS SAM applications in the AWS Serverless Application Repository that use policy templates don't require any special customer acknowledgments to deploy the application from the AWS Serverless Application Repository.
If you want to request a new policy template to be added, do the following:
-
Submit a pull request against the policy_templates.json source file in the
developbranch of the AWS SAM GitHub project. You can find the source file in policy_templates.jsonon the GitHub website. -
Submit an issue in the AWS SAM GitHub project that includes the reasons for your pull request and a link to the request. Use this link to submit a new issue: AWS Serverless Application Model: Issues
.
Syntax
For every policy template you specify in your AWS SAM template file, you must always specify an object containing the policy template's placeholder values. If a policy template does not require any placeholder values, you must specify an empty object.
YAML
MyFunction: Type: AWS::Serverless::Function Properties: Policies: - PolicyTemplateName1: # Policy template with placeholder value Key1: Value1 - PolicyTemplateName2: {} # Policy template with no placeholder value
Examples
Example 1: Policy template with placeholder values
The following example shows that the SQSPollerPolicy policy template expects a QueueName as a
resource. The AWS SAM template retrieves the name of the "MyQueue" Amazon SQS queue,
which you can create in the same application or requested as a parameter to the
application.
MyFunction: Type: 'AWS::Serverless::Function' Properties: CodeUri: ${codeuri} Handler: hello.handler Runtime: python2.7 Policies: - SQSPollerPolicy: QueueName: !GetAtt MyQueue.QueueName
Example 2: Policy template with no placeholder values
The following example contains the CloudWatchPutMetricPolicy policy template, which has no placeholder values.
Note
Even though there are no placeholder values, you must specify an empty object, otherwise an error will result.
MyFunction: Type: 'AWS::Serverless::Function' Properties: CodeUri: ${codeuri} Handler: hello.handler Runtime: python2.7 Policies: - CloudWatchPutMetricPolicy: {}
Policy template table
The following is a table of the available policy templates.
| Policy Template | Description |
|---|---|
| AcmGetCertificatePolicy | Gives a permission to read a certificate from AWS Certificate Manager. |
| AMIDescribePolicy | Gives permission to describe Amazon Machine Images (AMIs). |
| AthenaQueryPolicy | Gives permissions to execute Athena queries. |
| AWSSecretsManagerGetSecretValuePolicy | Gives permission to get the secret value for the specified AWS Secrets Manager secret. |
| AWSSecretsManagerRotationPolicy | Gives permission to rotate a secret in AWS Secrets Manager. |
| CloudFormationDescribeStacksPolicy | Gives permission to describe AWS CloudFormation stacks. |
| CloudWatchDashboardPolicy | Gives permissions to put metrics to operate on CloudWatch dashboards. |
| CloudWatchDescribeAlarmHistoryPolicy | Gives permission to describe CloudWatch alarm history. |
| CloudWatchPutMetricPolicy | Gives permission to send metrics to CloudWatch. |
| CodeCommitCrudPolicy | Gives permissions to create/read/update/delete objects within a specific CodeCommit repository. |
| CodeCommitReadPolicy | Gives permissions to read objects within a specific CodeCommit repository. |
| CodePipelineLambdaExecutionPolicy | Gives permission for a Lambda function invoked by CodePipeline to report the status of the job. |
| CodePipelineReadOnlyPolicy | Gives read permission to get details about a CodePipeline pipeline. |
| ComprehendBasicAccessPolicy | Gives permission for detecting entities, key phrases, languages, and sentiments. |
| CostExplorerReadOnlyPolicy | Gives read-only permission to the read-only Cost Explorer APIs for billing history. |
| DynamoDBBackupFullAccessPolicy | Gives read and write permission to DynamoDB on-demand backups for a table. |
| DynamoDBCrudPolicy | Gives create, read, update, and delete permissions to an Amazon DynamoDB table. |
| DynamoDBReadPolicy | Gives read-only permission to a DynamoDB table. |
| DynamoDBReconfigurePolicy | Gives permission to reconfigure a DynamoDB table. |
| DynamoDBRestoreFromBackupPolicy | Gives permission to restore a DynamoDB table from backup. |
| DynamoDBStreamReadPolicy | Gives permission to describe and read DynamoDB streams and records. |
| DynamoDBWritePolicy | Gives write-only permission to a DynamoDB table. |
| EC2CopyImagePolicy | Gives permission to copy Amazon EC2 images. |
| EC2DescribePolicy | Gives permission to describe Amazon Elastic Compute Cloud (Amazon EC2) instances. |
| EcsRunTaskPolicy | Gives permission to start a new task for a task definition. |
| EFSWriteAccessPolicy | Gives permission to mount an Amazon EFS file system with write access. |
| EKSDescribePolicy | Gives permission to describe or list Amazon EKS clusters. |
| ElasticMapReduceAddJobFlowStepsPolicy | Gives permission to add new steps to a running cluster. |
| ElasticMapReduceCancelStepsPolicy | Gives permission to cancel a pending step or steps in a running cluster. |
| ElasticMapReduceModifyInstanceFleetPolicy | Gives permission to list details and modify capacities for instance fleets within a cluster. |
| ElasticMapReduceModifyInstanceGroupsPolicy | Gives permission to list details and modify settings for instance groups within a cluster. |
| ElasticMapReduceSetTerminationProtectionPolicy | Gives permission to set termination protection for a cluster. |
| ElasticMapReduceTerminateJobFlowsPolicy | Gives permission to shut down a cluster. |
| ElasticsearchHttpPostPolicy | Gives POST permission to Amazon OpenSearch Service. |
| EventBridgePutEventsPolicy | Gives permissions to send events to EventBridge. |
| FilterLogEventsPolicy | Gives permission to filter CloudWatch Logs events from a specified log group. |
| FirehoseCrudPolicy | Gives permission to create, write, update, and delete a Firehose delivery stream. |
| FirehoseWritePolicy | Gives permission to write to a Firehose delivery stream. |
| KinesisCrudPolicy | Gives permission to create, publish, and delete an Amazon Kinesis stream. |
| KinesisStreamReadPolicy | Gives permission to list and read an Amazon Kinesis stream. |
| KMSDecryptPolicy | Gives permission to decrypt with an AWS Key Management Service (AWS KMS) key. |
| KMSEncryptPolicy | Gives permission to encrypt with an AWS Key Management Service (AWS KMS) key. |
| LambdaInvokePolicy | Gives permission to invoke an AWS Lambda function, alias, or version. |
| MobileAnalyticsWriteOnlyAccessPolicy | Gives write-only permission to put event data for all application resources. |
| OrganizationsListAccountsPolicy | Gives read-only permission to list child account names and IDs. |
| PinpointEndpointAccessPolicy | Gives permission to get and update endpoints for an Amazon Pinpoint application. |
| PollyFullAccessPolicy | Gives full access permission to Amazon Polly lexicon resources. |
| RekognitionDetectOnlyPolicy | Gives permission to detect faces, labels, and text. |
| RekognitionFacesManagementPolicy | Gives permission to add, delete, and search faces in an Amazon Rekognition collection. |
| RekognitionFacesPolicy | Gives permission to compare and detect faces and labels. |
| RekognitionLabelsPolicy | Gives permission to detect object and moderation labels. |
| RekognitionNoDataAccessPolicy | Gives permission to compare and detect faces and labels. |
| RekognitionReadPolicy | Gives permission to list and search faces. |
| RekognitionWriteOnlyAccessPolicy | Gives permission to create collection and index faces. |
| Route53ChangeResourceRecordSetsPolicy | Gives permission to change resource record sets in Route 53. |
| S3CrudPolicy | Gives create, read, update, and delete permission to act on the objects in an Amazon S3 bucket. |
| S3FullAccessPolicy | Gives full access permission to act on the objects in an Amazon S3 bucket. |
| S3ReadPolicy | Gives read-only permission to read objects in an Amazon Simple Storage Service (Amazon S3) bucket. |
| S3WritePolicy | Gives write permission to write objects into an Amazon S3 bucket. |
| SageMakerCreateEndpointConfigPolicy | Gives permission to create an endpoint configuration in SageMaker AI. |
| SageMakerCreateEndpointPolicy | Gives permission to create an endpoint in SageMaker AI. |
| ServerlessRepoReadWriteAccessPolicy | Gives permission to create and list applications in the AWS Serverless Application Repository service. |
| SESBulkTemplatedCrudPolicy | Gives permission to send email, templated email, templated bulk emails and verify identity. |
| SESBulkTemplatedCrudPolicy_v2 | Gives permission to send Amazon SES email, templated email, and templated bulk emails and to verify identity. |
| SESCrudPolicy | Gives permission to send email and verify identity. |
| SESEmailTemplateCrudPolicy | Gives permission to create, get, list, update and delete Amazon SES email templates. |
| SESSendBouncePolicy | Gives SendBounce permission to an Amazon Simple Email Service (Amazon SES) identity. |
| SNSCrudPolicy | Gives permission to create, publish, and subscribe to Amazon SNS topics. |
| SNSPublishMessagePolicy | Gives permission to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic. |
| SQSPollerPolicy | Gives permission to poll an Amazon Simple Queue Service (Amazon SQS) queue. |
| SQSSendMessagePolicy | Gives permission to send message to an Amazon SQS queue. |
| SSMParameterReadPolicy | Gives permission to access a parameter from an Amazon EC2 Systems Manager (SSM) parameter store to load secrets in this account. Use when parameter name doesn't have slash prefix. |
| SSMParameterWithSlashPrefixReadPolicy | Gives permission to access a parameter from an Amazon EC2 Systems Manager (SSM) parameter store to load secrets in this account. Use when parameter name has slash prefix. |
| StepFunctionsExecutionPolicy | Gives permission to start a Step Functions state machine execution. |
| TextractDetectAnalyzePolicy | Gives access to detect and analyze documents with Amazon Textract. |
| TextractGetResultPolicy | Gives access to get detected and analyzed documents from Amazon Textract. |
| TextractPolicy | Gives full access to Amazon Textract. |
| VPCAccessPolicy | Gives access to create, delete, describe, and detach elastic network interfaces. |
Troubleshooting
SAM CLI error: "Must specify valid parameter values for policy template '<policy-template-name>'"
When executing sam build, you see the following error:
"Must specify valid parameter values for policy template '<policy-template-name>'"
This means that you did not pass an empty object when declaring a policy template that does not have any placeholder values.
To fix this, declare the policy like the following example for CloudWatchPutMetricPolicy.
MyFunction: Policies: - CloudWatchPutMetricPolicy: {}
