Use a unique role with just enough permissions for each Lambda function

Serverless Tip #4: Use a unique role with just enough permissions for each Lambda function

The principle of least privilege says that you should only grant services the least access they need to complete their tasks.

Starting with IAM can be daunting. It can be tempting to take shortcuts by creating one IAM role with broad access and assigning it to multiple functions. However, such roles are a bad practice that can open up potential security threats later on.

Instead, create unique IAM roles for all functions, with the exact permissions each function requires to accomplish its tasks. Tools like CDK, SAM, and SST simplify this practice.

The same goes for all future IAM roles you will create, so it’s a good habit to pick up from the start.

Read More Tips