Update IAM policies for AWS SAM deployment

smessmer · smessmer · commit c5edcd2ab934 · 2026-01-10T22:20:25.000-08:00
- Update CloudFormation resources to include SAM managed stack
- Update S3 resources for SAM managed bucket
- Clean up Serverless-specific permissions
diff --git a/backend/iam/existing_stack.txt b/backend/iam/existing_stack.txt
@@ -1,5 +1,5 @@
-# This is the IAM policy needed to update an existing stack in CI, if there are no new functions added.
-# (replace ${account_id} with your Amazon Account ID)
+# IAM policy for CI to update an existing AWS SAM stack (no new functions).
+# Replace ${account_id} with your AWS Account ID.
 
 {
     "Version": "2012-10-17",
@@ -23,12 +23,11 @@
                 "s3:PutObject",
                 "s3:DeleteObject",
                 "s3:ListBucket",
-                "s3:GetEncryptionConfiguration",
-                "s3:GetBucketPolicy",
-                "s3:GetBucketAcl"
+                "s3:GetBucketLocation"
             ],
             "Resource": [
-                "arn:aws:s3:::cryfs-web-backend-*"
+                "arn:aws:s3:::aws-sam-cli-managed-default-samclisourcebucket-*",
+                "arn:aws:s3:::aws-sam-cli-managed-default-samclisourcebucket-*/*"
             ]
         },
         {
@@ -42,10 +41,12 @@
                 "cloudformation:DescribeStackEvents",
                 "cloudformation:ListStackResources",
                 "cloudformation:CreateChangeSet",
-                "cloudformation:DeleteChangeSet"
+                "cloudformation:DeleteChangeSet",
+                "cloudformation:GetTemplateSummary"
             ],
             "Resource": [
-                "arn:aws:cloudformation:us-east-1:${account_id}:stack/cryfs-web-backend-*"
+                "arn:aws:cloudformation:us-east-1:${account_id}:stack/cryfs-web-backend/*",
+                "arn:aws:cloudformation:us-east-1:${account_id}:stack/aws-sam-cli-managed-default/*"
             ]
         },
         {
@@ -55,9 +56,7 @@
                 "cloudformation:GetTemplate",
                 "cloudformation:ValidateTemplate"
             ],
-            "Resource": [
-                "*"
-            ]
+            "Resource": "*"
         },
         {
             "Sid": "Lambda",
diff --git a/backend/iam/new_stack.txt b/backend/iam/new_stack.txt
@@ -1,5 +1,5 @@
-# This is the IAM policy needed to deploy a new stack (i.e. when AWS Lambda is being set up from scratch) or a new function
-# (replace ${account_id} with your Amazon Account ID)
+# IAM policy for CI to deploy a new AWS SAM stack or add new functions.
+# Replace ${account_id} with your AWS Account ID.
 
 {
     "Version": "2012-10-17",
@@ -31,16 +31,16 @@
                 "s3:ListBucket",
                 "s3:CreateBucket",
                 "s3:DeleteBucket",
-                "s3:GetEncryptionConfiguration",
+                "s3:GetBucketLocation",
                 "s3:PutEncryptionConfiguration",
-                "s3:GetBucketPolicy",
                 "s3:PutBucketPolicy",
                 "s3:PutBucketTagging",
-                "s3:GetBucketAcl",
-                "s3:PutBucketAcl"
+                "s3:PutBucketVersioning",
+                "s3:PutLifecycleConfiguration"
             ],
             "Resource": [
-                "arn:aws:s3:::cryfs-web-backend-*"
+                "arn:aws:s3:::aws-sam-cli-managed-default-samclisourcebucket-*",
+                "arn:aws:s3:::aws-sam-cli-managed-default-samclisourcebucket-*/*"
             ]
         },
         {
@@ -54,10 +54,12 @@
                 "cloudformation:CreateChangeSet",
                 "cloudformation:ExecuteChangeSet",
                 "cloudformation:DescribeStackEvents",
-                "cloudformation:ListStackResources"
+                "cloudformation:ListStackResources",
+                "cloudformation:GetTemplateSummary"
             ],
             "Resource": [
-                "arn:aws:cloudformation:us-east-1:${account_id}:stack/cryfs-web-backend-*"
+                "arn:aws:cloudformation:us-east-1:${account_id}:stack/cryfs-web-backend/*",
+                "arn:aws:cloudformation:us-east-1:${account_id}:stack/aws-sam-cli-managed-default/*"
             ]
         },
         {
@@ -67,9 +69,7 @@
                 "cloudformation:GetTemplate",
                 "cloudformation:ValidateTemplate"
             ],
-            "Resource": [
-                "*"
-            ]
+            "Resource": "*"
         },
         {
             "Sid": "Lambda",
@@ -84,7 +84,8 @@
                 "lambda:ListVersionsByFunction",
                 "lambda:PublishVersion",
                 "lambda:UpdateFunctionCode",
-                "lambda:AddPermission"
+                "lambda:AddPermission",
+                "lambda:RemovePermission"
             ],
             "Resource": "arn:aws:lambda:us-east-1:${account_id}:function:cryfs-web-backend-*"
         },
