fix: #114 More secure IoT policy

ServerlessLife · ServerlessLife · commit d5ffd23933c5 · 2025-03-10T19:40:45.000+01:00
diff --git a/src/infraDeploy.ts b/src/infraDeploy.ts
@@ -37,9 +37,15 @@ const policyDocument = {
   Version: '2012-10-17',
   Statement: [
     {
-      Action: 'iot:*',
-      Resource: '*',
       Effect: 'Allow',
+      Action: [
+        'iot:DescribeEndpoint',
+        'iot:Connect',
+        'iot:Publish',
+        'iot:Subscribe',
+        'iot:Receive',
+      ],
+      Resource: '*',
     },
   ],
 };
diff --git a/test/utils/expectInfraDeployed.ts b/test/utils/expectInfraDeployed.ts
@@ -30,14 +30,20 @@ export async function expectInfraDeployed(lambdaName: any) {
       ':layer:LambdaLiveDebugger:',
     );
     expect(policyDocument).toEqual({
+      Version: '2012-10-17',
       Statement: [
         {
-          Action: 'iot:*',
           Effect: 'Allow',
+          Action: [
+            'iot:DescribeEndpoint',
+            'iot:Connect',
+            'iot:Publish',
+            'iot:Subscribe',
+            'iot:Receive',
+          ],
           Resource: '*',
         },
       ],
-      Version: '2012-10-17',
     });
   }
 }
