設定部分でカギ括弧で囲まれているところはそれぞれ書き換えてください。
| key | val |
|---|---|
| <サービス名> | serverless.ymlのserviceの値 |
| <テーブルプレフィックス> | dynamoDBのテーブルプレフィックス |
| <アカウントID> | 使用するアカウントのID(マイアカウント>アカウント設定>アカウントID) |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "cloudformation",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStackEvents",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:UpdateStack",
"cloudformation:DescribeStackResources",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStacks",
"cloudformation:ListStackResources"
],
"Resource": "arn:aws:cloudformation:ap-northeast-1:<アカウントID>:stack/<サービス名>*"
},
{
"Sid": "iam0",
"Effect": "Allow",
"Action": [
"cloudformation:ValidateTemplate"
],
"Resource": "*"
},
{
"Sid": "iam1",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::<アカウントID>:role/AppDynamoDBAccess"
},
{
"Sid": "s3",
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<サービス名>*"
},
{
"Sid": "cloudwatch",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy"
],
"Resource": "arn:aws:logs:ap-northeast-1:<アカウントID>:*"
},
{
"Sid": "cloudwatchevents",
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:DescribeRule",
"events:DeleteRule",
"events:PutTargets",
"events:RemoveTargets"
],
"Resource": "arn:aws:events:ap-northeast-1:<アカウントID>:rule/<サービス名>*"
},
{
"Sid": "dynamodb",
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:CreateTable",
"dynamodb:DeleteTable"
],
"Resource": [
"arn:aws:events:ap-northeast-1:<アカウントID>:rule/<サービス名>*",
"arn:aws:dynamodb:ap-northeast-1:<アカウントID>:table/<テーブルプレフィックス>*"
]
},
{
"Sid": "apigateway",
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": "arn:aws:apigateway:ap-northeast-1::/restapis*"
},
{
"Sid": "lambda",
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:DeleteFunction",
"lambda:CreateFunction",
"lambda:GetFunctionConfiguration",
"lambda:ListVersionsByFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:PublishVersion",
"lambda:UpdateFunctionCode",
"lambda:ListAliases",
"lambda:UpdateFunctionConfiguration"
],
"Resource": "arn:aws:lambda:ap-northeast-1:<アカウントID>:function:<サービス名>*"
}
]
}
AppDynamoDBAccess policy
Lambdaに設定するロールのためのDynamoDBへの読み書きを行うためのポリシー
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "dynamodb",
"Effect": "Allow",
"Action": [
"dynamodb:DeleteItem",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:UpdateTimeToLive",
"dynamodb:BatchWriteItem",
"dynamodb:ConditionCheckItem",
"dynamodb:PutItem",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:UpdateItem",
"dynamodb:DescribeTimeToLive"
],
"Resource": "arn:aws:dynamodb:ap-northeast-1:<アカウントID>:table/dressy*"
}
]
}