# Appendix: AWS Permissions
Your IAM user will require the following minimum permissions. You can create a custom policy (opens new window) to define these permissions and attach it to your user. This appendix will cover an explanation of each permission and the resources they apply to, but feel free to skip to the sample policy template at the end, which you can use and modify for your own account.
# IAM
The following permissions all apply to the role litexa_handler_lambda.
- AttachRolePolicy
- CreateRole
- GetRole
- ListAttachedRolePolicies
- PassRole
# Lambda
The following permissions all apply to the Lambda function name structure
*_*_litexa_handler, where * is a wildcard.
- AddPermission
- CreateAlias
- CreateFunction
- GetAlias
- GetFunctionConfiguration
- GetPolicy
- ListAliases
- RemovePermission
- UpdateFunctionCode
- UpdateFunctionConfiguration
# DynamoDB
The following permissions all apply to the DynamoDB table name structure
*_*_litexa_handler_state, where * is a wildcard.
- CreateTable
- DescribeTable
# S3
This permission automatically applies to all resources.
- ListAllMyBuckets
The following permissions apply to the S3 bucket defined in the
s3Configuration.bucketName field in your litexa.config.js/json/ts/coffee file.
- CreateBucket
- ListBucket
The following permissions apply to all objects in the S3 bucket defined
in the s3Configuration.bucketName field in your litexa.config.js/json/ts/coffee file.
- PutObject
- PutObjectAcl
# CloudWatch Logs
This permission applies to all Cloudwatch log groups.
- DescribeLogGroups
This permission automatically applies to all resources.
- CreateLogGroup
These permissions apply to CloudWatch log streams with the
log group name structure *_*_litexa_handler, where * is a wildcard.
- DescribeLogStreams
- PutRetentionPolicy
This permission requires the above resource plus wildcards for the log stream and log stream name sections.
- GetLogEvents
# Minimum Permissions
Any resources with wildcards * can be replaced by the specific ARN,
but the wildcards are practical for creating multiple Litexa projects
in the same AWS account.
# Sample Policy Document
Remember to replace myAccountId and myBucketName with your AWS
account ID number and S3 bucket, respectively.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAMRole",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:PassRole"
],
"Resource": "arn:aws:iam::myAccountId:role/litexa_handler_lambda"
},
{
"Sid": "Lambda",
"Effect": "Allow",
"Action": [
"lambda:AddPermission",
"lambda:CreateAlias",
"lambda:CreateFunction",
"lambda:GetAlias",
"lambda:GetFunctionConfiguration",
"lambda:GetPolicy",
"lambda:ListAliases",
"lambda:RemovePermission",
"lambda:UpdateFunctionConfiguration",
"lambda:UpdateFunctionCode"
],
"Resource": "arn:aws:lambda:*:myAccountId:function:*_*_litexa_handler"
},
{
"Sid": "DynamoDB",
"Effect": "Allow",
"Action": [
"dynamodb:CreateTable",
"dynamodb:DescribeTable"
],
"Resource": "arn:aws:dynamodb:*:myAccountId:table/*_*_litexa_handler_state"
},
{
"Sid": "CreateLogGroupListS3Buckets",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "S3BucketActions",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::myBucketName"
},
{
"Sid": "S3BucketObjectActions",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::myBucketName/*"
},
{
"Sid": "DescribeLogGroups",
"Effect": "Allow",
"Action": "logs:DescribeLogGroups",
"Resource": "arn:aws:logs:*:myAccountId:log-group:*"
},
{
"Sid": "LogStreamActions",
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:PutRetentionPolicy"
],
"Resource": "arn:aws:logs:*:myAccountId:log-group:/aws/lambda/*_*_litexa_handler:log-stream:"
},
{
"Sid": "GetLogEvents",
"Effect": "Allow",
"Action": "logs:GetLogEvents",
"Resource": "arn:aws:logs:*:myAccountId:log-group:/aws/lambda/*_*_litexa_handler:*:*"
}
]
}