Tweak docs

mnapoli · mnapoli · commit 605b1db2fe93 · 2025-08-18T15:28:36.000+02:00
diff --git a/docs/environment/aws-credentials.mdx b/docs/environment/aws-credentials.mdx
@@ -8,7 +8,9 @@ import { Callout, Tabs } from 'nextra/components';
 When your PHP application runs on AWS Lambda, it automatically has access to AWS credentials. This means you don't need to manage AWS access keys or credentials in your code - Lambda handles this for you.
 
 <Callout type="warning">
-**Common mistake**: Don't put AWS access keys in your Lambda functions or environment variables. Lambda provides credentials automatically.
+    Don't deploy AWS access keys in your Lambda functions or environment variables. Lambda provides credentials automatically.
+
+    This is a common mistake **when migrating an existing application to AWS Lambda**.
 </Callout>
 
 ## How it works
@@ -40,6 +42,8 @@ $result = $s3->putObject([
 // Note that this also works with https://async-aws.com
 ```
 
+Note that **Laravel and Symfony automatically pick up these permissions** too.
+
 These credentials have access controlled by an IAM role defined in `serverless.yml`.
 
 <Callout type="info">
@@ -121,31 +125,45 @@ Here are the IAM actions you'll typically need for common AWS services:
 
 ### DynamoDB
 ```yaml
-- Effect: Allow
-  Action:
-    - dynamodb:GetItem
-    - dynamodb:PutItem
-    - dynamodb:UpdateItem
-    - dynamodb:DeleteItem
-    - dynamodb:Query
-    - dynamodb:Scan
-  Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/my-table
+-   Effect: Allow
+    Action:
+        - dynamodb:GetItem
+        - dynamodb:PutItem
+        - dynamodb:UpdateItem
+        - dynamodb:DeleteItem
+        - dynamodb:Query
+        - dynamodb:Scan
+    Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/my-table
 ```
 
 ### Secrets Manager
 ```yaml
-- Effect: Allow
-  Action:
-    - secretsmanager:GetSecretValue
-  Resource: arn:aws:secretsmanager:${aws:region}:${aws:accountId}:secret:my-secret-*
+-   Effect: Allow
+    Action: secretsmanager:GetSecretValue
+    Resource: arn:aws:secretsmanager:${aws:region}:${aws:accountId}:secret:my-secret-*
 ```
 
 ### SNS (notifications)
 ```yaml
-- Effect: Allow
-  Action:
-    - sns:Publish
-  Resource: arn:aws:sns:${aws:region}:${aws:accountId}:my-topic
+-   Effect: Allow
+    Action: sns:Publish
+    Resource: arn:aws:sns:${aws:region}:${aws:accountId}:my-topic
+```
+
+### EventBridge
+```yaml
+-   Effect: Allow
+    Action: events:PutEvents
+    Resource: arn:aws:events:${aws:region}:${aws:accountId}:event-bus/my-event-bus
+```
+
+### SSM Parameter Store
+```yaml
+-   Effect: Allow
+    Action:
+        - ssm:GetParameter
+        - ssm:GetParameters
+    Resource: arn:aws:ssm:${aws:region}:${aws:accountId}:parameter/my-app/*
 ```
 
 ## Troubleshooting
@@ -163,6 +181,10 @@ If you get "Access Denied" errors when trying to use AWS services:
 
 When testing locally remember that you will need to provide AWS credentials since you're not running on Lambda. You can set them up via long-lived AWS access keys or IAM roles with SSO.
 
+## Permissions per function
+
+If you want to define permissions **per function**, instead of globally (ie: in the provider), you can install the plugin [`serverless-iam-roles-per-function`](https://github.com/functionalone/serverless-iam-roles-per-function) and then use the `iamRoleStatements` at the function definition block.
+
 ## Learn more
 
 - [`serverless.yml` IAM guide](https://github.com/oss-serverless/serverless/blob/main/docs/guides/iam.md)
diff --git a/docs/environment/serverless-yml.mdx b/docs/environment/serverless-yml.mdx
@@ -148,33 +148,9 @@ Note that it is possible to mix PHP functions with functions written in other la
 
 ### Permissions
 
-If your lambda needs to access other AWS services (S3, SQS, SNS…), you will need to add the proper permissions via the [`iam.role.statements` section](https://serverless.com/framework/docs/providers/aws/guide/functions#permissions):
+If your lambda needs to access other AWS services (S3, SQS, SNS…), you will need to add the proper permissions via the `iam.role.statements` section.
 
-```yaml
-provider:
-    name: aws
-    timeout: 10
-    runtime: provided.al2
-    iam:
-        role:
-            statements:
-                # Allow to put a file in the `my-bucket` S3 bucket
-                -   Effect: Allow
-                    Action: s3:PutObject
-                    Resource: 'arn:aws:s3:::my-bucket/*'
-                # Allow to query and update the `example` DynamoDB table
-                -   Effect: Allow
-                    Action:
-                        - dynamodb:Query
-                        - dynamodb:Scan
-                        - dynamodb:GetItem
-                        - dynamodb:PutItem
-                        - dynamodb:UpdateItem
-                        - dynamodb:DeleteItem
-                    Resource: 'arn:aws:dynamodb:us-east-1:111110002222:table/example'
-```
-
-If you only want to define some permissions **per function**, instead of globally (ie: in the provider), you should install and enable the Serverless plugin [`serverless-iam-roles-per-function`](https://github.com/functionalone/serverless-iam-roles-per-function) and then use the `iamRoleStatements` at the function definition block.
+Read more about [AWS credentials in the documentation](./aws-credentials.mdx).
 
 ## Stage parameters
 
