AWS SAM policy templates

A feature I think everyone (including myself!) should use more is AWS Serverless Application Model (SAM) policy templates. This approach is a great example of "syntactic sugar" that characterises the AWS SAM approach.

As an example, a frequent requirement for your serverless application functions is to create, read, update, and delete items on a DyanmoDB table. Rather than give in to the temptation to give your function access to all actions on all tables, you can use the aptly-named DynamoDBCrudPolicy template that takes a TableName parameter:

MyFunction:
  Type: AWS::Serverless::Function
  Properties:
    CodeUri: .
    Handler: hello.handler
    Runtime: nodejs18.x
    Policies:
      - DynamoDBCrudPolicy:
          TableName: !Ref TableName
 				

These two lines of YAML then gets transformed in to a detailed IAM policy statement that restricts the access to the appropriate IAM actions on the specific DDB table resource:

"Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "dynamodb:GetItem",
      "dynamodb:DeleteItem",
      "dynamodb:PutItem",
      "dynamodb:Scan",
      "dynamodb:Query",
      "dynamodb:UpdateItem",
      "dynamodb:BatchWriteItem",
      "dynamodb:BatchGetItem",
      "dynamodb:DescribeTable",
      "dynamodb:ConditionCheckItem"
    ],
    "Resource": [
      {
        "Fn::Sub": [
          "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}",
          {
            "tableName": {
              "Ref": "TableName"
            }
          }
        ]
      },
      {
        "Fn::Sub": [
          "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/index/*",
          {
            "tableName": {
              "Ref": "TableName"
            }
          }
        ]
      }
    ]
  }
]

This approach is quick, clean, and consistent, while avoiding a lot of accidental errors that can creep in to a more complicated policy definition.

You can see a full list of the all the policy templates in the official documentation, and the docs include how to submit your own policy templates.