# Using AWS SAM with the AWS Serverless Application Repository
<a name="using-aws-sam"></a>

The AWS Serverless Application Model (AWS SAM) is an open-source framework that you can use to build [serverless applications](https://aws.amazon.com/serverless/) on AWS. For more information about using AWS SAM to build your serverless application, see the [https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/).

When building applications that will be published to the AWS Serverless Application Repository, you must consider the set of supported AWS Resources and Policy Templates available to use. The sections below describe these topics in more detail.

## Supported AWS Resources in the AWS Serverless Application Repository
<a name="supported-resources-for-serverlessrepo"></a>

The AWS Serverless Application Repository supports serverless applications that are composed of many AWS SAM and CloudFormation resources. To see the complete list of AWS resources that are supported by AWS Serverless Application Repository, see [List of Supported AWS Resources](list-supported-resources.md).

If you want to request support for an additional AWS resource, contact [AWS Support](https://console.aws.amazon.com/support/home#/).

**Important**  
AWS Serverless Application Repository blocks publication of applications that include the following overly broad IAM permission patterns, which do not follow the principle of least privilege:  
Attaching the `AWSLambda_FullAccess` managed policy to Lambda functions
Granting `iam:AttachRolePolicy`, `iam:PutRolePolicy`, or `iam:*` on all resources (`*`) in inline IAM policies
To publish your application, replace `AWSLambda_FullAccess` with only the specific Lambda permissions your application requires, and scope `iam:AttachRolePolicy`, `iam:PutRolePolicy`, and `iam:PassRole` to specific resource ARNs rather than all resources. For guidance, see [IAM security best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html).

**Important**  
If your application template contains one of the following custom IAM roles or resource policies, your application doesn't show up in search results by default. Also, customers need to acknowledge the application's custom IAM roles or resource policies before they can deploy the application. For more information, see [ Acknowledging Application Capabilities](acknowledging-application-capabilities.md).   
The list of resources that this applies to are:  
**IAM roles: **[AWS::IAM::Group](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html), [AWS::IAM::InstanceProfile](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html), [AWS::IAM::Policy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html), and [AWS::IAM::Role](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html).
**Resource policies: ** [AWS::Lambda::LayerVersionPermission](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-layerversionpermission.html), [AWS::Lambda::Permission](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html), [AWS::Events::EventBusPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-events-eventbuspolicy.html), [AWS::IAM:Policy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html), [AWS::ApplicationAutoScaling::ScalingPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-applicationautoscaling-scalingpolicy.html), [AWS::S3::BucketPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html), [AWS::SQS::QueuePolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-policy.html), and [AWS::SNS:TopicPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-policy.html).
If your application contains the [AWS::Serverless::Application](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-template.html#serverless-sam-template-application) resource, customers need to acknowledge that the application contains a **nested application** before they can deploy the application. For more information about nested applications, see [Nested Applications](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-template-nested-applications.html) in the *AWS Serverless Application Model Developer Guide*. For more information about acknowledging capabilities, see [Acknowledging Application Capabilities](acknowledging-application-capabilities.md).

## Policy Templates
<a name="policy-templates-for-serverlessrepo"></a>

AWS SAM provides you with a list of policy templates to scope the permissions of your Lambda functions to the resources that are used by your application. Using policy templates don't require additional customer acknowledgments to search, browse, or deploy the application.

For the list of standard AWS SAM policy templates, see [AWS SAM Policy Templates](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-templates.html) in the *[AWS Serverless Application Model Developer Guide](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/)*.

# List of Supported AWS Resources
<a name="list-supported-resources"></a>

This is the complete list of AWS resources that are supported by the AWS Serverless Application Repository.
+ `AWS::AccessAnalyzer::Analyzer`
+ `AWS::AmazonMQ::Broker`
+ `AWS::AmazonMQ::Configuration`
+ `AWS::AmazonMQ::ConfigurationAssociation`
+ `AWS::ApiGateway::Account`
+ `AWS::ApiGateway::ApiKey`
+ `AWS::ApiGateway::Authorizer`
+ `AWS::ApiGateway::BasePathMapping`
+ `AWS::ApiGateway::ClientCertificate`
+ `AWS::ApiGateway::Deployment`
+ `AWS::ApiGateway::DocumentationPart`
+ `AWS::ApiGateway::DocumentationVersion`
+ `AWS::ApiGateway::DomainName`
+ `AWS::ApiGateway::GatewayResponse`
+ `AWS::ApiGateway::Method`
+ `AWS::ApiGateway::Model`
+ `AWS::ApiGateway::RequestValidator`
+ `AWS::ApiGateway::Resource`
+ `AWS::ApiGateway::RestApi`
+ `AWS::ApiGateway::Stage`
+ `AWS::ApiGateway::UsagePlan`
+ `AWS::ApiGateway::UsagePlanKey`
+ `AWS::ApiGateway::VpcLink`
+ `AWS::ApiGatewayV2::Api`
+ `AWS::ApiGatewayV2::ApiMapping`
+ `AWS::ApiGatewayV2::Authorizer`
+ `AWS::ApiGatewayV2::DomainName`
+ `AWS::ApiGatewayV2::Deployment`
+ `AWS::ApiGatewayV2::Integration`
+ `AWS::ApiGatewayV2::IntegrationResponse`
+ `AWS::ApiGatewayV2::Model`
+ `AWS::ApiGatewayV2::Route`
+ `AWS::ApiGatewayV2::RouteResponse`
+ `AWS::ApiGatewayV2::Stage`
+ `AWS::AppSync::ApiKey`
+ `AWS::AppSync::DataSource`
+ `AWS::AppSync::GraphQLApi`
+ `AWS::AppSync::GraphQLSchema`
+ `AWS::AppSync::Resolver`
+ `AWS::ApplicationAutoScaling::AutoScalingGroup`
+ `AWS::ApplicationAutoScaling::LaunchConfiguration`
+ `AWS::ApplicationAutoScaling::ScalableTarget`
+ `AWS::ApplicationAutoScaling::ScalingPolicy`
+ `AWS::Athena::NamedQuery`
+ `AWS::Athena::WorkGroup`
+ `AWS::CertificateManager::Certificate`
+ `AWS::Chatbot::SlackChannelConfiguration`
+ `AWS::CloudFormation::CustomResource`
+ `AWS::CloudFormation::Interface`
+ `AWS::CloudFormation::Macro`
+ `AWS::CloudFormation::WaitConditionHandle`
+ `AWS::CloudFront::CachePolicy`
+ `AWS::CloudFront::CloudFrontOriginAccessIdentity`
+ `AWS::CloudFront::Distribution`
+ `AWS::CloudFront::Function`
+ `AWS::CloudFront::OriginRequestPolicy`
+ `AWS::CloudFront::ResponseHeadersPolicy`
+ `AWS::CloudFront::StreamingDistribution`
+ `AWS::CloudTrail::Trail`
+ `AWS::CloudWatch::Alarm`
+ `AWS::CloudWatch::AnomalyDetector`
+ `AWS::CloudWatch::Dashboard`
+ `AWS::CloudWatch::InsightRule`
+ `AWS::CodeBuild::Project`
+ `AWS::CodeCommit::Repository`
+ `AWS::CodePipeline::CustomActionType`
+ `AWS::CodePipeline::Pipeline`
+ `AWS::CodePipeline::Webhook`
+ `AWS::CodeStar::GitHubRepository`
+ `AWS::CodeStarNotifications::NotificationRule`
+ `AWS::Cognito::IdentityPool`
+ `AWS::Cognito::IdentityPoolRoleAttachment`
+ `AWS::Cognito::UserPool`
+ `AWS::Cognito::UserPoolClient`
+ `AWS::Cognito::UserPoolDomain`
+ `AWS::Cognito::UserPoolGroup`
+ `AWS::Cognito::UserPoolResourceServer`
+ `AWS::Cognito::UserPoolUser`
+ `AWS::Cognito::UserPoolUserToGroupAttachment`
+ `AWS::Config::AggregationAuthorization`
+ `AWS::Config::ConfigRule`
+ `AWS::Config::ConfigurationAggregator`
+ `AWS::Config::ConfigurationRecorder`
+ `AWS::Config::DeliveryChannel`
+ `AWS::Config::RemediationConfiguration`
+ `AWS::DataPipeline::Pipeline`
+ `AWS::DynamoDB::Table`
+ `AWS::EC2::EIP`
+ `AWS::EC2::InternetGateway`
+ `AWS::EC2::NatGateway`
+ `AWS::EC2::Route`
+ `AWS::EC2::RouteTable`
+ `AWS::EC2::SecurityGroup`
+ `AWS::EC2::SecurityGroupEgress`
+ `AWS::EC2::SecurityGroupIngress`
+ `AWS::EC2::Subnet`
+ `AWS::EC2::SubnetRouteTableAssociation`
+ `AWS::EC2::VPC`
+ `AWS::EC2::VPCGatewayAttachment`
+ `AWS::EC2::VPCPeeringConnection`
+ `AWS::ECR::Repository`
+ `AWS::Elasticsearch::Domain`
+ `AWS::Events::EventBus`
+ `AWS::Events::EventBusPolicy`
+ `AWS::Events::Rule`
+ `AWS::EventSchemas::Discoverer`
+ `AWS::EventSchemas::Registry`
+ `AWS::EventSchemas::Schema`
+ `AWS::Glue::Classifier`
+ `AWS::Glue::Connection`
+ `AWS::Glue::Crawler`
+ `AWS::Glue::Database`
+ `AWS::Glue::DevEndpoint`
+ `AWS::Glue::Job`
+ `AWS::Glue::Partition`
+ `AWS::Glue::SecurityConfiguration`
+ `AWS::Glue::Table`
+ `AWS::Glue::Trigger`
+ `AWS::Glue::Workflow`
+ `AWS::IAM::Group`
+ `AWS::IAM::InstanceProfile`
+ `AWS::IAM::ManagedPolicy`
+ `AWS::IAM::OIDCProvider`
+ `AWS::IAM::Policy`
+ `AWS::IAM::Role`
+ `AWS::IAM::ServiceLinkedRole`
+ `AWS::IoT::Certificate`
+ `AWS::IoT::Policy`
+ `AWS::IoT::PolicyPrincipalAttachment`
+ `AWS::IoT::Thing`
+ `AWS::IoT::ThingPrincipalAttachment`
+ `AWS::IoT::TopicRule`
+ `AWS::KMS::Alias`
+ `AWS::KMS::Key`
+ `AWS::Kinesis::Stream`
+ `AWS::Kinesis::StreamConsumer`
+ `AWS::Kinesis::Streams`
+ `AWS::KinesisAnalytics::Application`
+ `AWS::KinesisAnalytics::ApplicationOutput`
+ `AWS::KinesisFirehose::DeliveryStream`
+ `AWS::Lambda::Alias`
+ `AWS::Lambda::EventInvokeConfig`
+ `AWS::Lambda::EventSourceMapping`
+ `AWS::Lambda::Function`
+ `AWS::Lambda::LayerVersion`
+ `AWS::Lambda::LayerVersionPermission`
+ `AWS::Lambda::Permission`
+ `AWS::Lambda::Version`
+ `AWS::Location::GeofenceCollection`
+ `AWS::Location::Map`
+ `AWS::Location::PlaceIndex`
+ `AWS::Location::RouteCalculator`
+ `AWS::Location::Tracker`
+ `AWS::Location::TrackerConsumer`
+ `AWS::Logs::Destination`
+ `AWS::Logs::LogGroup`
+ `AWS::Logs::LogStream`
+ `AWS::Logs::MetricFilter`
+ `AWS::Logs::SubscriptionFilter`
+ `AWS::Route53::HealthCheck`
+ `AWS::Route53::HostedZone`
+ `AWS::Route53::RecordSet`
+ `AWS::Route53::RecordSetGroup`
+ `AWS::S3::Bucket`
+ `AWS::S3::BucketPolicy`
+ `AWS::SNS::Subscription`
+ `AWS::SNS::Topic`
+ `AWS::SNS::TopicPolicy`
+ `AWS::SQS::Queue`
+ `AWS::SQS::QueuePolicy`
+ `AWS::SSM::Association`
+ `AWS::SSM::Document`
+ `AWS::SSM::MaintenanceWindowTask`
+ `AWS::SSM::Parameter`
+ `AWS::SSM::PatchBaseline`
+ `AWS::SSM::ResourceDataSync`
+ `AWS::SecretsManager::ResourcePolicy`
+ `AWS::SecretsManager::RotationSchedule`
+ `AWS::SecretsManager::Secret`
+ `AWS::SecretsManager::SecretTargetAttachment`
+ `AWS::Serverless::Api`
+ `AWS::Serverless::Application`
+ `AWS::Serverless::Function`
+ `AWS::Serverless::HttpApi`
+ `AWS::Serverless::LayerVersion`
+ `AWS::Serverless::SimpleTable`
+ `AWS::Serverless::StateMachine`
+ `AWS::ServiceDiscovery::HttpNamespace`
+ `AWS::ServiceCatalog::CloudFormationProvisionedProduct`
+ `AWS::ServiceDiscovery::Instance`
+ `AWS::ServiceDiscovery::PrivateDnsNamespace`
+ `AWS::ServiceDiscovery::PublicDnsNamespace`
+ `AWS::ServiceDiscovery::Service`
+ `AWS::SES::ReceiptRule`
+ `AWS::SES::ReceiptRuleSet`
+ `AWS::StepFunctions::Activity`
+ `AWS::StepFunctions::StateMachine`
+ `AWS::Wisdom::Assistant`
+ `AWS::Wisdom::AssistantAssociation`
+ `AWS::Wisdom::KnowledgeBase`