AWS SAM Policy Templates

AWS SAM allows you to choose from a list of policy templates to scope the permissions of your Lambda functions to the resources that are used by your application.

AWS SAM applications in the AWS Serverless Application Repository that use policy templates don't require any special customer acknowledgments to deploy the application from the AWS Serverless Application Repository.

If you want to request a new policy template to be added, do the following:

Submit a pull request against the policy_templates.json source file in the develop branch of the AWS SAM GitHub project. You can find the source file in policy_templates.json on the GitHub website.
Submit an issue in the AWS SAM GitHub project that includes the reasons for your pull request and a link to the request. Use this link to submit a new issue: AWS Serverless Application Model: Issues.

Examples

There are two AWS SAM template examples in this section: one with a policy template that includes placeholder values, and one that doesn't include placeholder values.

Example 1: Policy Template with Placeholder Values

The following example shows that the SQSPollerPolicy policy template expects a QueueName as a resource. The AWS SAM template retrieves the name of the "MyQueue" Amazon SQS queue, which you can create in the same application or requested as a parameter to the application.


MyFunction:
  Type: 'AWS::Serverless::Function'
  Properties:
    CodeUri: ${codeuri}
    Handler: hello.handler
    Runtime: python2.7
    Policies:
      - SQSPollerPolicy:
          QueueName:
            !GetAtt MyQueue.QueueName

Example 2: Policy Template with No Placeholder Values

The following example contains the CloudWatchPutMetricPolicy policy template, which has no placeholder values.


MyFunction:
  Type: 'AWS::Serverless::Function'
  Properties:
    CodeUri: ${codeuri}
    Handler: hello.handler
    Runtime: python2.7
    Policies:
      - CloudWatchPutMetricPolicy: {}

Policy Template Table

The following is a table of the available policy templates.

Policy Template	Description
SQSPollerPolicy	Gives permission to poll an Amazon SQS Queue.
LambdaInvokePolicy	Gives permission to invoke a Lambda function, alias, or version.
CloudWatchDescribeAlarmHistoryPolicy	Gives permission to describe CloudWatch alarm history.
CloudWatchPutMetricPolicy	Gives permission to put metrics to CloudWatch.
EC2DescribePolicy	Gives permission to describe Amazon EC2 instances.
DynamoDBCrudPolicy	Gives create, read, update, and delete permissions to a DynamoDB table.
DynamoDBReadPolicy	Gives read-only permission to a DynamoDB table.
DynamoDBWritePolicy	Gives write-only permission to a DynamoDB table.
DynamoDBReconfigurePolicy	Gives permission to reconfigure a DynamoDB table.
SESSendBouncePolicy	Gives SendBounce permission to an Amazon SES identity.
ElasticsearchHttpPostPolicy	Gives POST permission to Amazon Elasticsearch Service.
S3ReadPolicy	Gives read-only permission to objects in an Amazon S3 bucket.
S3WritePolicy	Gives write permission to objects in an Amazon S3 bucket.
S3CrudPolicy	Gives create, read, update, and delete permission to objects in an Amazon S3 bucket.
AMIDescribePolicy	Gives permission to describe Amazon Machine Images (AMIs).
CloudFormationDescribeStacksPolicy	Gives permission to describe AWS CloudFormation stacks.
RekognitionDetectOnlyPolicy	Gives permission to detect faces, labels, and text.
RekognitionNoDataAccessPolicy	Gives permission to compare and detect faces and labels.
RekognitionReadPolicy	Gives permission to list and search faces.
RekognitionWriteOnlyAccessPolicy	Gives permission to create collection and index faces.
SQSSendMessagePolicy	Gives permission to send message to an Amazon SQS queue.
SNSPublishMessagePolicy	Gives permission to publish a message to an Amazon SNS topic.
VPCAccessPolicy	Gives access to create, delete, describe, and detach Elastic Network Interfaces.
DynamoDBStreamReadPolicy	Gives permission to describe and read DynamoDB streams and records.
KinesisStreamReadPolicy	Gives permission to list and read an Amazon Kinesis stream.
SESCrudPolicy	Gives permission to send email and verify identity.
SNSCrudPolicy	Gives permission to create, publish, and subscribe to Amazon SNS topics.
KinesisCrudPolicy	Gives permission to create, publish, and delete an Amazon Kinesis stream.
KMSDecryptPolicy	Gives permission to decrypt with an AWS KMS key.
KMSEncryptPolicy	Gives permission to encrypt with an AWS KMS key.
PollyFullAccessPolicy	Gives full access permission to Amazon Polly lexicon resources.
S3FullAccessPolicy	Gives full access permission to objects in an Amazon S3 bucket.
CodePipelineLambdaExecutionPolicy	Gives permission for a Lambda function invoked by CodePipeline to report the status of the job.
ServerlessRepoReadWriteAccessPolicy	Gives permission to create and list applications in the AWS Serverless Application Repository service.
EC2CopyImagePolicy	Gives permission to copy Amazon EC2 images.
AWSSecretsManagerRotationPolicy	Gives permission to rotate a secret in AWS Secrets Manager.
AWSSecretsManagerGetSecretValuePolicy	Gives permission to GetSecretValue for the specified AWS Secrets Manager secret.
CodePipelineReadOnlyPolicy	Gives read permission to get details about a CodePipeline pipeline.
CloudWatchDashboardPolicy	Gives permissions to put metrics to operate on CloudWatch dashboards.
RekognitionFacesManagementPolicy	Gives permission to add, delete, and search faces in a collection.
RekognitionFacesPolicy	Gives permission to compare and detect faces and labels.
RekognitionLabelsPolicy	Gives permission to detect object and moderation labels.
DynamoDBBackupFullAccessPolicy	Gives read and write permission to DynamoDB on-demand backups for a table.
DynamoDBRestoreFromBackupPolicy	Gives permission to restore a DynamoDB table from backup.
ComprehendBasicAccessPolicy	Gives permission for detecting entities, key phrases, languages, and sentiments.
MobileAnalyticsWriteOnlyAccessPolicy	Gives write-only permission to put event data for all application resources.
PinpointEndpointAccessPolicy	Gives permission to get and update endpoints for an Amazon Pinpoint application.
FirehoseWritePolicy	Gives permission to write to a Kinesis Data Firehose delivery stream.
FirehoseCrudPolicy	Gives permission to create, write, update, and delete a Kinesis Data Firehose delivery stream.
EKSDescribePolicy	Gives permission to describe or list Amazon EKS clusters.
CostExplorerReadOnlyPolicy	Gives read-only permission to the read-only Cost Explorer APIs for billing history.
OrganizationsListAccountsPolicy	Gives read-only permission to list child account names and IDs.
SESBulkTemplatedCrudPolicy	Gives permission to send email, templated email, templated bulk emails and verify identity.
SESEmailTemplateCrudPolicy	Gives permission to create, get, list, update and delete Amazon SES email templates.
FilterLogEventsPolicy	Gives permission to filter log events from a specified log group.
SSMParameterReadPolicy	Gives permission to access a parameter to load secrets in this account.
StepFunctionsExecutionPolicy	Gives permission to start a Step Functions state machine execution.
CodeCommitCrudPolicy	Gives permissions to create/read/update/delete objects within a specific CodeCommit repository.
CodeCommitReadPolicy	Gives permissions to read objects within a specific CodeCommit repository.
AthenaQueryPolicy	Gives permissions to execute Athena queries.
TextractPolicy	Gives full access to Amazon Textract.
TextractDetectAnalyzePolicy	Gives access to detect and analyze documents with Amazon Textract.
TextractGetResultPolicy	Gives access to get detected and analyzed documents from Amazon Textract.
EventBridgePutEventsPolicy	Gives permissions to send events to EventBridge.

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS SAM CLI Config

Policy Template List