# Using Amazon SAM with the Amazon Serverless Application Repository
<a name="using-aws-sam"></a>

The Amazon Serverless Application Model (Amazon SAM) is an open-source framework that you can use to build [serverless applications](https://aws.amazon.com/serverless/) on Amazon. For more information about using Amazon SAM to build your serverless application, see the [https://docs.amazonaws.cn/serverless-application-model/latest/developerguide/](https://docs.amazonaws.cn/serverless-application-model/latest/developerguide/).

When building applications that will be published to the Amazon Serverless Application Repository, you must consider the set of supported Amazon Resources and Policy Templates available to use. The sections below describe these topics in more detail.

## Supported Amazon Resources in the Amazon Serverless Application Repository
<a name="supported-resources-for-serverlessrepo"></a>

The Amazon Serverless Application Repository supports serverless applications that are composed of many Amazon SAM and Amazon CloudFormation resources. To see the complete list of Amazon resources that are supported by Amazon Serverless Application Repository, see [List of Supported Amazon Resources](list-supported-resources.md).

If you want to request support for an additional Amazon resource, contact [Amazon Support](https://console.amazonaws.cn/support/home#/).

**Important**  
Amazon Serverless Application Repository blocks publication of applications that include the following overly broad IAM permission patterns, which do not follow the principle of least privilege:  
Attaching the `AWSLambda_FullAccess` managed policy to Lambda functions
Granting `iam:AttachRolePolicy`, `iam:PutRolePolicy`, or `iam:*` on all resources (`*`) in inline IAM policies
To publish your application, replace `AWSLambda_FullAccess` with only the specific Lambda permissions your application requires, and scope `iam:AttachRolePolicy`, `iam:PutRolePolicy`, and `iam:PassRole` to specific resource ARNs rather than all resources. For guidance, see [IAM security best practices](https://docs.amazonaws.cn/IAM/latest/UserGuide/best-practices.html).

**Important**  
If your application template contains one of the following custom IAM roles or resource policies, your application doesn't show up in search results by default. Also, customers need to acknowledge the application's custom IAM roles or resource policies before they can deploy the application. For more information, see [ Acknowledging Application Capabilities](acknowledging-application-capabilities.md).   
The list of resources that this applies to are:  
**IAM roles: **[AWS::IAM::Group](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-properties-iam-group.html), [AWS::IAM::InstanceProfile](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html), [AWS::IAM::Policy](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html), and [AWS::IAM::Role](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html).
**Resource policies: ** [AWS::Lambda::LayerVersionPermission](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-layerversionpermission.html), [AWS::Lambda::Permission](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html), [AWS::Events::EventBusPolicy](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-resource-events-eventbuspolicy.html), [AWS::IAM:Policy](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html), [AWS::ApplicationAutoScaling::ScalingPolicy](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-resource-applicationautoscaling-scalingpolicy.html), [AWS::S3::BucketPolicy](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-properties-s3-policy.html), [AWS::SQS::QueuePolicy](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-policy.html), and [AWS::SNS:TopicPolicy](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/aws-properties-sns-policy.html).
If your application contains the [AWS::Serverless::Application](https://docs.amazonaws.cn/serverless-application-model/latest/developerguide/serverless-sam-template.html#serverless-sam-template-application) resource, customers need to acknowledge that the application contains a **nested application** before they can deploy the application. For more information about nested applications, see [Nested Applications](https://docs.amazonaws.cn/serverless-application-model/latest/developerguide/serverless-sam-template-nested-applications.html) in the *Amazon Serverless Application Model Developer Guide*. For more information about acknowledging capabilities, see [Acknowledging Application Capabilities](acknowledging-application-capabilities.md).

## Policy Templates
<a name="policy-templates-for-serverlessrepo"></a>

Amazon SAM provides you with a list of policy templates to scope the permissions of your Lambda functions to the resources that are used by your application. Using policy templates don't require additional customer acknowledgments to search, browse, or deploy the application.

For the list of standard Amazon SAM policy templates, see [Amazon SAM Policy Templates](https://docs.amazonaws.cn/serverless-application-model/latest/developerguide/serverless-policy-templates.html) in the *[Amazon Serverless Application Model Developer Guide](https://docs.amazonaws.cn/serverless-application-model/latest/developerguide/)*.