AWS Serverless Application Model
Developer Guide

AWS SAM Policy Templates

AWS SAM allows you to choose from a list of policy templates to scope the permissions of your Lambda functions to the resources that are used by your application.

AWS SAM applications in the AWS Serverless Application Repository that use policy templates don't require any special customer acknowledgments to deploy the application from the AWS Serverless Application Repository.

If you want to request a new policy template to be added, do the following:

  1. Submit a pull request against the policy_templates.json source file in the develop branch of the AWS SAM GitHub project. You can find the source file in policy_templates.json on the GitHub website.

  2. Submit an issue in the AWS SAM GitHub project that includes the reasons for your pull request and a link to the request. Use this link to submit a new issue: AWS Serverless Application Model: Issues.

Examples

There are two AWS SAM template examples in this section: one with a policy template that includes placeholder values, and one that doesn't include placeholder values.

Example 1: Policy Template with Placeholder Values

The following example shows that the SQSPollerPolicy policy template expects a QueueName as a resource. The AWS SAM template retrieves the name of the "MyQueue" Amazon SQS queue, which you can create in the same application or requested as a parameter to the application.

MyFunction: Type: 'AWS::Serverless::Function' Properties: CodeUri: ${codeuri} Handler: hello.handler Runtime: python2.7 Policies: - SQSPollerPolicy: QueueName: !GetAtt MyQueue.QueueName

Example 2: Policy Template with No Placeholder Values

The following example contains the CloudWatchPutMetricPolicy policy template, which has no placeholder values.

MyFunction: Type: 'AWS::Serverless::Function' Properties: CodeUri: ${codeuri} Handler: hello.handler Runtime: python2.7 Policies: - CloudWatchPutMetricPolicy: {}

Policy Template Table

The following is a table of the available policy templates.

Policy Template Description
SQSPollerPolicy Gives permission to poll an Amazon SQS Queue.
LambdaInvokePolicy Gives permission to invoke a Lambda function, alias, or version.
CloudWatchPutMetricPolicy Gives permission to put metrics to CloudWatch.
EC2DescribePolicy Gives permission to describe Amazon EC2 instances.
DynamoDBCrudPolicy Gives create, read, update, and delete permissions to a DynamoDB table.
DynamoDBReadPolicy Gives read-only permission to a DynamoDB table.
DynamoDBReconfigurePolicy Gives permission to reconfigure a DynamoDB table.
SESSendBouncePolicy Gives SendBounce permission to an Amazon SES identity.
ElasticsearchHttpPostPolicy Gives POST permission to Amazon Elasticsearch Service.
S3ReadPolicy Gives read-only permission to objects in an Amazon S3 bucket.
S3CrudPolicy Gives create, read, update, and delete permission to objects in an Amazon S3 bucket.
AMIDescribePolicy Gives permission to describe Amazon Machine Images (AMIs).
CloudFormationDescribeStacksPolicy Gives permission to describe AWS CloudFormation stacks.
RekognitionDetectOnlyPolicy Gives permission to detect faces, labels, and text.
RekognitionNoDataAccessPolicy Gives permission to compare and detect faces and labels.
RekognitionReadPolicy Gives permission to list and search faces.
RekognitionWriteOnlyAccessPolicy Gives permission to create collection and index faces.
SQSSendMessagePolicy Gives permission to send message to an Amazon SQS queue.
SNSPublishMessagePolicy Gives permission to publish a message to an Amazon SNS topic.
VPCAccessPolicy Gives access to create, delete, describe, and detach Elastic Network Interfaces.
DynamoDBStreamReadPolicy Gives permission to describe and read DynamoDB streams and records.
KinesisStreamReadPolicy Gives permission to list and read an Amazon Kinesis stream.
SESCrudPolicy Gives permission to send email and verify identity.
SNSCrudPolicy Gives permission to create, publish, and subscribe to Amazon SNS topics.
KinesisCrudPolicy Gives permission to create, publish, and delete an Amazon Kinesis stream.
KMSDecryptPolicy Gives permission to decrypt with an AWS KMS key.
PollyFullAccessPolicy Gives full access permission to Amazon Polly lexicon resources.
S3FullAccessPolicy Gives full access permission to objects in an Amazon S3 bucket.
CodePipelineLambdaExecutionPolicy Gives permission for a Lambda function invoked by CodePipeline to report the status of the job.
ServerlessRepoReadWriteAccessPolicy Gives permission to create and list applications in the AWS Serverless Application Repository service.
EC2CopyImagePolicy Gives permission to copy Amazon EC2 images.
AWSSecretsManagerRotationPolicy Gives permission to rotate a secret in AWS Secrets Manager.
AWSSecretsManagerGetSecretValuePolicy Gives permission to GetSecretValue for the specified AWS Secrets Manager secret.
CodePipelineReadOnlyPolicy Gives read permission to get details about a CodePipeline pipeline.
CloudWatchDashboardPolicy Gives permissions to put metrics to operate on CloudWatch dashboards.
RekognitionFacesManagementPolicy Gives permission to add, delete, and search faces in a collection.
RekognitionFacesPolicy Gives permission to compare and detect faces and labels.
RekognitionLabelsPolicy Gives permission to detect object and moderation labels.
DynamoDBBackupFullAccessPolicy Gives read and write permission to DynamoDB on-demand backups for a table.
DynamoDBRestoreFromBackupPolicy Gives permission to restore a DynamoDB table from backup.
ComprehendBasicAccessPolicy Gives permission for detecting entities, key phrases, languages, and sentiments.
MobileAnalyticsWriteOnlyAccessPolicy Gives write-only permission to put event data for all application resources.
PinpointEndpointAccessPolicy Gives permission to get and update endpoints for an Amazon Pinpoint application.
FirehoseWritePolicy Gives permission to write to a Kinesis Data Firehose delivery stream.
FirehoseCrudPolicy Gives permission to create, write, update, and delete a Kinesis Data Firehose delivery stream.
EKSDescribePolicy Gives permission to describe or list Amazon EKS clusters.
CostExplorerReadOnlyPolicy Gives read-only permission to the read-only Cost Explorer APIs for billing history.
OrganizationsListAccountsPolicy Gives read-only permission to list child account names and IDs.
SESBulkTemplatedCrudPolicy Gives permission to send email, templated email, templated bulk emails and verify identity.
SESEmailTemplateCrudPolicy Gives permission to create, get, list, update and delete Amazon SES email templates.
FilterLogEventsPolicy Gives permission to filter log events from a specified log group.
SSMParameterReadPolicy Gives permission to access a parameter to load secrets in this account.
StepFunctionsExecutionPolicy Gives permission to access a parameter to load secrets in this account.
CodeCommitCrudPolicy Gives permissions to create/read/update/delete objects within a specific codecommit repository.
CodeCommitReadPolicy Gives permissions to read objects within a specific codecommit repository.