# Appendix: AWS Permissions

Your IAM user will require the following minimum permissions. You can create a custom policy to define these permissions and attach it to your user. This appendix will cover an explanation of each permission and the resources they apply to, but feel free to skip to the sample policy template at the end, which you can use and modify for your own account.

# IAM

The following permissions all apply to the role litexa_handler_lambda.

  • AttachRolePolicy
  • CreateRole
  • GetRole
  • ListAttachedRolePolicies
  • PassRole

# Lambda

The following permissions all apply to the Lambda function name structure *_*_litexa_handler, where * is a wildcard.

  • AddPermission
  • CreateAlias
  • CreateFunction
  • GetAlias
  • GetFunctionConfiguration
  • GetPolicy
  • ListAliases
  • RemovePermission
  • UpdateFunctionCode
  • UpdateFunctionConfiguration

# DynamoDB

The following permissions all apply to the DynamoDB table name structure *_*_litexa_handler_state, where * is a wildcard.

  • CreateTable
  • DescribeTable

# S3

This permission automatically applies to all resources.

  • ListAllMyBuckets

The following permissions apply to the S3 bucket defined in the s3Configuration.bucketName field in your litexa.config.js/json/ts/coffee file.

  • CreateBucket
  • ListBucket

The following permissions apply to all objects in the S3 bucket defined in the s3Configuration.bucketName field in your litexa.config.js/json/ts/coffee file.

  • PutObject
  • PutObjectAcl

# CloudWatch Logs

This permission applies to all Cloudwatch log groups.

  • DescribeLogGroups

This permission automatically applies to all resources.

  • CreateLogGroup

These permissions apply to CloudWatch log streams with the log group name structure *_*_litexa_handler, where * is a wildcard.

  • DescribeLogStreams
  • PutRetentionPolicy

This permission requires the above resource plus wildcards for the log stream and log stream name sections.

  • GetLogEvents

# Minimum Permissions

Any resources with wildcards * can be replaced by the specific ARN, but the wildcards are practical for creating multiple Litexa projects in the same AWS account.

# Sample Policy Document

Remember to replace myAccountId and myBucketName with your AWS account ID number and S3 bucket, respectively.

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "IAMRole",
          "Effect": "Allow",
          "Action": [
              "iam:AttachRolePolicy",
              "iam:CreateRole",
              "iam:GetRole",
              "iam:ListAttachedRolePolicies",
              "iam:PassRole"
          ],
          "Resource": "arn:aws:iam::myAccountId:role/litexa_handler_lambda"
      },
      {
          "Sid": "Lambda",
          "Effect": "Allow",
          "Action": [
              "lambda:AddPermission",
              "lambda:CreateAlias",
              "lambda:CreateFunction",
              "lambda:GetAlias",
              "lambda:GetFunctionConfiguration",
              "lambda:GetPolicy",
              "lambda:ListAliases",
              "lambda:RemovePermission",
              "lambda:UpdateFunctionConfiguration",
              "lambda:UpdateFunctionCode"
          ],
          "Resource": "arn:aws:lambda:*:myAccountId:function:*_*_litexa_handler"
      },
      {
          "Sid": "DynamoDB",
          "Effect": "Allow",
          "Action": [
              "dynamodb:CreateTable",
              "dynamodb:DescribeTable"
          ],
          "Resource": "arn:aws:dynamodb:*:myAccountId:table/*_*_litexa_handler_state"
      },
      {
          "Sid": "CreateLogGroupListS3Buckets",
          "Effect": "Allow",
          "Action": [
              "logs:CreateLogGroup",
              "s3:ListAllMyBuckets"
          ],
          "Resource": "*"
      },
      {
          "Sid": "S3BucketActions",
          "Effect": "Allow",
          "Action": [
              "s3:CreateBucket",
              "s3:ListBucket"
          ],
          "Resource": "arn:aws:s3:::myBucketName"
      },
      {
          "Sid": "S3BucketObjectActions",
          "Effect": "Allow",
          "Action": [
              "s3:PutObject",
              "s3:PutObjectAcl"
          ],
          "Resource": "arn:aws:s3:::myBucketName/*"
      },
      {
          "Sid": "DescribeLogGroups",
          "Effect": "Allow",
          "Action": "logs:DescribeLogGroups",
          "Resource": "arn:aws:logs:*:myAccountId:log-group:*"
      },
      {
          "Sid": "LogStreamActions",
          "Effect": "Allow",
          "Action": [
            "logs:DescribeLogStreams",
            "logs:PutRetentionPolicy"
          ],
          "Resource": "arn:aws:logs:*:myAccountId:log-group:/aws/lambda/*_*_litexa_handler:log-stream:"
      },
      {
          "Sid": "GetLogEvents",
          "Effect": "Allow",
          "Action": "logs:GetLogEvents",
          "Resource": "arn:aws:logs:*:myAccountId:log-group:/aws/lambda/*_*_litexa_handler:*:*"
      }
  ]
}