Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Application Capabilities: IAM Roles, Resource Policies, and Nested Applications

Before you can deploy an application, the Amazon Serverless Application Repository checks the application’s template for IAM roles, Amazon resource policies, and nested applications that the template specifies that it should create. IAM resources, such as an IAM role with full access, can modify any resource in your Amazon account. Therefore, we recommend that you review the permissions associated with the application before proceeding so that you don't unintentionally create resources with escalated permissions. To ensure that you've done so, you must acknowledge that the application contains capabilities before the Amazon Serverless Application Repository can deploy the application on your behalf.

Applications can contain any of the following four capabilities: CAPABILITY_IAM, CAPABILITY_NAMED_IAM, CAPABILITY_RESOURCE_POLICY, and CAPABILITY_AUTO_EXPAND.

The following resources require you to specify CAPABILITY_IAM or CAPABILITY_NAMED_IAM: AWS::IAM::Group, AWS::IAM::InstanceProfile, AWS::IAM::Policy, and AWS::IAM::Role. If the application contains IAM resources with custom names, you must specify CAPABILITY_NAMED_IAM. For an example of how to specify capabilities, see Finding and Acknowledging Application Capabilities (Amazon CLI).

The following resources require you to specify CAPABILITY_RESOURCE_POLICY: AWS::Lambda::LayerVersionPermission, AWS::Lambda::Permission, AWS::Events::EventBusPolicy, AWS::IAM:Policy, AWS::ApplicationAutoScaling::ScalingPolicy, AWS::S3::BucketPolicy, AWS::SQS::QueuePolicy, and AWS::SNS::TopicPolicy.

Applications that contain one or more nested applications require you to specify CAPABILITY_AUTO_EXPAND. For more information about nested applications, see Nested Applications in the Amazon Serverless Application Model Developer Guide.

Finding and Acknowledging Application Capabilities (Console)

You can find applications available in the Amazon Serverless Application Repository on the Amazon Serverless Application Repository website, or through the Lambda console (on the Create Function page under the Amazon Serverless Application Repository tab).

Applications that require acknowledgment of capabilities for creating custom IAM roles or resource policies aren't shown in search results by default. To search for applications that contain these capabilities, you must select the Show apps that create custom IAM roles or resource policies check box.

You can review the capabilities of an application under the Permissions tab when you select the application. To deploy the application, you need to select the I acknowledge this application creates custom IAM roles or resource policies check box. If you don’t acknowledge these capabilities, you see this error message: Acknowledgement required. To deploy, check the box in Configure application parameters section.

Viewing Application Capabilities (Amazon CLI)

To view an application's capabilities using the Amazon CLI, you first need the application's Amazon Resource Name (ARN). You can then execute the following command:

aws serverlessrepo get-application \
--application-id application-arn

The requiredCapabilities response property contains the list of application capabilities that you need to acknowledge before you can deploy the application. Note that if the requiredCapabilities property is empty, the application has no required capabilities.