Managing resource access and permissions - Amazon Serverless Application Model
Amazon SAM connectorsAmazon SAM policy templatesAmazon CloudFormation mechanismsBest practices
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing resource access and permissions

For your Amazon resources to interact with one another, the proper access and permissions must be configured between your resources, requiring the configuration of Amazon Identity and Access Management (IAM) users, roles, and policies to accomplish your interaction in a secure manner. To learn more, see Controlling access with Amazon Identity and Access Management in the Amazon CloudFormation User Guide.

The Amazon Serverless Application Model (Amazon SAM) provides two options that simplify management of access and permissions for your serverless applcations.

  1. Amazon SAM connectors

  2. Amazon SAM policy templates

Amazon SAM connectors

Connectors are a way of provisioning permissions between two resources. You do this by describing how they should interact with each other in your Amazon SAM template. They can be defined using either the Connectors resource attribute or AWS::Serverless::Connector resource type. Connectors support the provisioning of Read and Write access of data and events between a combination of Amazon resources. To learn more about Amazon SAM connectors, see Managing resource permissions with Amazon SAM connectors.

Amazon SAM policy templates

Amazon SAM policy templates are pre-defined sets of permissions that you can add to your Amazon SAM templates to manage access and permissions between your Amazon Lambda functions, Amazon Step Functions state machines and the resources they interact with. To learn more about Amazon SAM policy templates, see Amazon SAM policy templates.

Amazon CloudFormation mechanisms

Amazon CloudFormation mechanisms include the configuring of IAM users, roles, and policies to manage permissions between your Amazon resources. To learn more, see Managing permissions with Amazon CloudFormation mechanisms.

Best practices

Throughout your serverless applications, you can use multiple methods to configure permissions between your resources. Therefore, you can select the best option for each scenario and use multiple options together throughout your applications. Here are a few things to consider when choosing the best option for you:

  • Amazon SAM connectors and policy templates both reduce the IAM expertise required to facilitate secure interactions between your Amazon resources. Use connectors and policy templates when supported.

  • Amazon SAM connectors provide a simple and intuitive short-hand syntax to define permissions in your Amazon SAM templates and require the least amount of IAM expertise. When both Amazon SAM connectors and policy templates are supported, use Amazon SAM connectors.

  • Amazon SAM connectors can provision Read and Write access of data and events between supported Amazon SAM source and destination resources. For a list of supported resources, see Amazon SAM connector reference. When supported, use Amazon SAM connectors.

  • While Amazon SAM policy templates are limited to permissions between your Lambda functions, Step Functions state machines and the Amazon resources they interact with, policy templates do support all CRUD operations. When supported, and when an Amazon SAM policy template for your scenario is available, use Amazon SAM policy templates. For a list of available policy templates, see Amazon SAM policy templates.

  • For all other scenarios, or when granularity is required, use Amazon CloudFormation mechanisms.