Supported Amazon Resources in the Amazon Serverless Application Repository Policy Templates

Using Amazon SAM with the Amazon Serverless Application Repository

The Amazon Serverless Application Model (Amazon SAM) is an open-source framework that you can use to build serverless applications on Amazon. For more information about using Amazon SAM to build your serverless application, see the Amazon Serverless Application Model Developer Guide.

When building applications that will be published to the Amazon Serverless Application Repository, you must consider the set of supported Amazon Resources and Policy Templates available to use. The sections below describe these topics in more detail.

Supported Amazon Resources in the Amazon Serverless Application Repository

The Amazon Serverless Application Repository supports serverless applications that are composed of many Amazon SAM and Amazon CloudFormation resources. To see the complete list of Amazon resources that are supported by Amazon Serverless Application Repository, see List of Supported Amazon Resources.

If you want to request support for an additional Amazon resource, contact Amazon Support.

Important

Amazon Serverless Application Repository blocks publication of applications that include the following overly broad IAM permission patterns, which do not follow the principle of least privilege:

Attaching the AWSLambda_FullAccess managed policy to Lambda functions
Granting iam:AttachRolePolicy, iam:PutRolePolicy, or iam:* on all resources (*) in inline IAM policies

To publish your application, replace AWSLambda_FullAccess with only the specific Lambda permissions your application requires, and scope iam:AttachRolePolicy, iam:PutRolePolicy, and iam:PassRole to specific resource ARNs rather than all resources. For guidance, see IAM security best practices.

Important

If your application template contains one of the following custom IAM roles or resource policies, your application doesn't show up in search results by default. Also, customers need to acknowledge the application's custom IAM roles or resource policies before they can deploy the application. For more information, see Acknowledging Application Capabilities.

The list of resources that this applies to are:

IAM roles: AWS::IAM::Group, AWS::IAM::InstanceProfile, AWS::IAM::Policy, and AWS::IAM::Role.
Resource policies: AWS::Lambda::LayerVersionPermission, AWS::Lambda::Permission, AWS::Events::EventBusPolicy, AWS::IAM:Policy, AWS::ApplicationAutoScaling::ScalingPolicy, AWS::S3::BucketPolicy, AWS::SQS::QueuePolicy, and AWS::SNS:TopicPolicy.

If your application contains the AWS::Serverless::Application resource, customers need to acknowledge that the application contains a nested application before they can deploy the application. For more information about nested applications, see Nested Applications in the Amazon Serverless Application Model Developer Guide. For more information about acknowledging capabilities, see Acknowledging Application Capabilities.

Policy Templates

Amazon SAM provides you with a list of policy templates to scope the permissions of your Lambda functions to the resources that are used by your application. Using policy templates don't require additional customer acknowledgments to search, browse, or deploy the application.

For the list of standard Amazon SAM policy templates, see Amazon SAM Policy Templates in the Amazon Serverless Application Model Developer Guide.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Publishing Applications

List of Supported Amazon Resources