Supported AWS Resources in the AWS Serverless Application Repository Policy Templates

Using AWS SAM with the AWS Serverless Application Repository

The AWS Serverless Application Model (AWS SAM) is an open-source framework that you can use to build serverless applications on AWS. For more information about using AWS SAM to build your serverless application, see the AWS Serverless Application Model Developer Guide.

When building applications that will be published to the AWS Serverless Application Repository, you must consider the set of supported AWS Resources and Policy Templates available to use. The sections below describe these topics in more detail.

Supported AWS Resources in the AWS Serverless Application Repository

The AWS Serverless Application Repository supports serverless applications that are composed of many AWS SAM and CloudFormation resources. To see the complete list of AWS resources that are supported by AWS Serverless Application Repository, see List of Supported AWS Resources.

If you want to request support for an additional AWS resource, contact AWS Support.

Important

AWS Serverless Application Repository blocks publication of applications that include the following overly broad IAM permission patterns, which do not follow the principle of least privilege:

Attaching the AWSLambda_FullAccess managed policy to Lambda functions
Granting iam:AttachRolePolicy, iam:PutRolePolicy, or iam:* on all resources (*) in inline IAM policies

To publish your application, replace AWSLambda_FullAccess with only the specific Lambda permissions your application requires, and scope iam:AttachRolePolicy, iam:PutRolePolicy, and iam:PassRole to specific resource ARNs rather than all resources. For guidance, see IAM security best practices.

Important

If your application template contains one of the following custom IAM roles or resource policies, your application doesn't show up in search results by default. Also, customers need to acknowledge the application's custom IAM roles or resource policies before they can deploy the application. For more information, see Acknowledging Application Capabilities.

The list of resources that this applies to are:

IAM roles: AWS::IAM::Group, AWS::IAM::InstanceProfile, AWS::IAM::Policy, and AWS::IAM::Role.
Resource policies: AWS::Lambda::LayerVersionPermission, AWS::Lambda::Permission, AWS::Events::EventBusPolicy, AWS::IAM:Policy, AWS::ApplicationAutoScaling::ScalingPolicy, AWS::S3::BucketPolicy, AWS::SQS::QueuePolicy, and AWS::SNS:TopicPolicy.

If your application contains the AWS::Serverless::Application resource, customers need to acknowledge that the application contains a nested application before they can deploy the application. For more information about nested applications, see Nested Applications in the AWS Serverless Application Model Developer Guide. For more information about acknowledging capabilities, see Acknowledging Application Capabilities.

Policy Templates

AWS SAM provides you with a list of policy templates to scope the permissions of your Lambda functions to the resources that are used by your application. Using policy templates don't require additional customer acknowledgments to search, browse, or deploy the application.

For the list of standard AWS SAM policy templates, see AWS SAM Policy Templates in the AWS Serverless Application Model Developer Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Publishing Applications

List of Supported AWS Resources