#List of all available safeguards

The following policies are included and configurable in the Serverless Framework Dashboard.

#No "*" in IAM Role statements

ID: no-wild-iam-role-statements

This policy performs a simple check to prevent "*" permissions being used in AWS IAM Roles by checking for wildcards on Actions and Resources in grant statements.


Update the custom IAM Roles in the serverless.yml to remove IAM Role Statements which grant access to "*" on Actions and Resources. If a plugin generates IAM Role Statements, follow the instructions provided by the plugin developer to mitigate the issue.

#No clear-text credentials in environment variables

ID: no-secret-env-vars

Ensures that the environment variables configured on the AWS Lambda functions do not contain environment variables values which follow patterns of common credential formats.


Resolving this issue requires that the AWS Lambda function environment variables do not contain any plain-text credentials; however, your functions may still require those credentials to be passed in by other means.

There are two recommended alternatives of passing in credentials to your AWS Lambda functions:

#Ensure Dead Letter Queues are attached to functions

ID: require-dlq

Ensures all functions with any of the events listed below, or functions with zero events, have an attached Dead Letter Queue.


  • s3
  • sns
  • alexaSkill
  • iot
  • cloudwachEvent
  • cloudwatchLog
  • cognitoUserPool
  • alexaHomeSkill


Configure the Dead Letter Queue with SNS or SQS for all the functions which require the DLQ to be configured.

#Allowed Runtimes

ID: allowed-runtimes

This limits the runtimes that can be used in services. It is configurable with a list of allowed runtimes or a regular expression.

- nodejs8.10
- python3.7
# or:


Ensure you are using a runtime that is in the list of allowed runtimes or matches the regex of allowed runtimes.

#Allowed stages

ID: allowed-stages

This limits the stages that can be used in services. It is configurable with a list of allowed stages or a regular expression.

- prod
- dev
# or:


Ensure you are using a runtime that is in the list of allowed stages or matches the regex of allowed stages.

#Framework Version

ID: framework-version

This policy limits which versions of the Serverless Framework can be used. It is configured with a semver expression.

>=1.44.0 <2.0.0


Install an allowed version of the framework: npm i -g serverless@$ALLOWED_VERSION

#Require Cloudformation Deployment Role

ID: require-cfn-role

This rule requires you to specify the cfnRole option in your serverless.yml. It has no configuration options.


Add cfnRole to your serverless.yml.

#Required stack tags

ID: required-stack-tags

This rule requires you to specify certain tags in the stackTags option in your serverless.yml. It is configured with a mapping of keys to regex's. All the keys must be present and value must match the regex.

someTagName: '.*'

#Require Global VPC

ID: require-global-vpc

This rule requires all your functions to be configured with a VPC. By default they are required to have at least two subnet IDs to allow for AZ failover. It is configurable with a minNumSubnets option:

minNumSubnets: 1 # if you don't want to require 2 and AZ support


Add a global VPC configuration to your config: https://serverless.com/framework/docs/providers/aws/guide/functions/#vpc-configuration

#Allowed function names

ID: allowed-function-names

This rule allows you enforce naming conventions functions deployed to AWS lambda. It is configured with a regular expression. It features one extra addition: variables for stage, service and function(the key in the serverless yaml) names. See below for some examples.

Require using Serverless's standard naming scheme:


Or, if you want custom names with stage first and underscores instead of dashes:



Use the name: config option on the function object to customize the deployed function name to match the regex: https://serverless.com/framework/docs/providers/aws/guide/functions/#configuration

#Require Description

ID: require-description

This rule requires that all functions have a description of minimum or maximum length. By default it requires a minimum length of 30 and the lambda maximum of 256. Both these values are configurable however. Here is a config that requires a slightly longer config but doesn't allow as long a maximum:

minLength: 50
maxLength: 100


Add a function description to all your lambdas that is with in the minimum and maximum required lengths.

#Allowed Regions

ID: allowed-regions

This rule allows you to restrict the regions to which a service may be deployed. It is configured with a list of regions:

# eg, us-east-1 and us-west-2 only
- us-east-1
- us-west-2

#Restricted deploy times

ID: restricted-deploy-times

This policy blocks deploys at certain times. It is configured with a list of objects containing a time, duration and optional interval.

# no deploy specific holidays, eg Rosh Hashanah 2019
- time: 2019-09-29T18:20 # ISO8601 date or datetime
  duration: P2D30M # IS8601 duration
# no deploy a specific day but repeating, eg all future Christmases
- time: 2019-12-25
  duration: P1D
  interval: P1Y
# no deploy fri noon - monday 6AM
- time: 2019-03-08T12:00:00
  duration: P2D18H
  interval: P1W

If you only need to specify one interval you can also directly use that object, eg:

# no deployments on friday, saturday, sunday
time: 2019-03-08
duration: P3D
interval: P1W


Wait! You're not supposed to be deploying!

#Forbid S3 HTTP Access

ID: forbid-s3-http-access

This policy requires that you have a BucketPolicy forbidding access over HTTP for each bucket. There are no configuration options.


For a bucket without a name such as the ServerlessDeploymentBucket ensure that the resources section of your serverless yaml contains a policy like the following using Refs. If using a different bucket, update the logical name in the Ref.

      Type: 'AWS::S3::BucketPolicy'
        Bucket: { Ref: ServerlessDeploymentBucket }
            - Action: 's3:*'
              Effect: 'Deny'
              Principal: '*'
                  - ''
                  - - 'arn:aws:s3:::'
                    - Ref: ServerlessDeploymentBucket
                    - '/*'
                  aws:SecureTransport: false

If using a bucket with a name, say configured in the custom section of your config, use a policy like this:

      Type: 'AWS::S3::BucketPolicy'
        Bucket: ${self:custom.bucketName}
            - Action: 's3:*'
              Effect: 'Deny'
              Principal: '*'
              Resource: 'arn:aws:s3:::${self:custom.bucketName}/*'
                  aws:SecureTransport: false

Have questions?

Head over to the forums to search for your questions and issues or post a new one.