--- title: Serverless function without unique IAM role description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Serverless function without unique IAM role --- # Serverless function without unique IAM role {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-serverless-function-without-unique-iam-role` **Provider:** AWS **Platform:** CloudFormation **Severity:** High **Category:** Insecure Configurations #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-role) ### Description{% #description %} Sharing an IAM execution role across multiple AWS Serverless functions increases blast radius and can give unrelated functions identical privileges, making privilege escalation or lateral movement easier if one function is compromised. For `AWS::Serverless::Function` resources, the `Properties.Role` value must be unique for each function and should reference a function-specific IAM role ARN. This rule flags `Resources..Properties.Role` when the same `Role` value is assigned to more than one `AWS::Serverless::Function`. Fix this by defining a distinct `AWS::IAM::Role` per function (or omitting `Role` to let AWS SAM create unique roles) and applying least-privilege policies to each role. Secure configuration with distinct roles: ```yaml MyFunctionRole1: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: MyFunction1Policy PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: "*" MyFunction1: Type: AWS::Serverless::Function Properties: Role: !GetAtt MyFunctionRole1.Arn Handler: index.handler Runtime: nodejs14.x MyFunctionRole2: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole Policies: - PolicyName: MyFunction2Policy PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - dynamodb:GetItem Resource: arn:aws:dynamodb:us-east-1:123456789012:table/MyTable MyFunction2: Type: AWS::Serverless::Function Properties: Role: !GetAtt MyFunctionRole2.Arn Handler: index.handler Runtime: nodejs14.x ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition Resources: Function3: Type: AWS::Serverless::Function Properties: PackageType: Image ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name ImageConfig: Command: - "app.lambda_handler" EntryPoint: - "entrypoint1" WorkingDirectory: "workDir" Tags: - Key: Type Value: AWS Serverless Function Role: arn:aws:iam::123456789012:role/lambda-role ``` ```yaml AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition Resources: Function1: Type: AWS::Serverless::Function Properties: PackageType: Image ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name ImageConfig: Command: - "app.lambda_handler" EntryPoint: - "entrypoint1" WorkingDirectory: "workDir" Tags: - Key: Type Value: AWS Serverless Function Role: !Ref Role2 Function2: Type: AWS::Serverless::Function Properties: PackageType: Image ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name ImageConfig: Command: - "app.lambda_handler" EntryPoint: - "entrypoint1" WorkingDirectory: "workDir" Tags: - Key: Type Value: AWS Serverless Function Role: !Ref Role4 ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition Resources: Function1: Type: AWS::Serverless::Function Properties: PackageType: Image ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name ImageConfig: Command: - "app.lambda_handler" EntryPoint: - "entrypoint1" WorkingDirectory: "workDir" Tags: - Key: Type Value: AWS Serverless Function Role: arn:aws:iam::123456789012:role/lambda-role Function2: Type: AWS::Serverless::Function Properties: PackageType: Image ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name ImageConfig: Command: - "app.lambda_handler" EntryPoint: - "entrypoint1" WorkingDirectory: "workDir" Tags: - Key: Type Value: AWS Serverless Function Role: arn:aws:iam::123456789012:role/lambda-role ``` ```yaml AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: AWS SAM template with a simple API definition Resources: Function1: Type: AWS::Serverless::Function Properties: PackageType: Image ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name ImageConfig: Command: - "app.lambda_handler" EntryPoint: - "entrypoint1" WorkingDirectory: "workDir" Tags: - Key: Type Value: AWS Serverless Function Role: !Ref Role Function2: Type: AWS::Serverless::Function Properties: PackageType: Image ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name ImageConfig: Command: - "app.lambda_handler" EntryPoint: - "entrypoint1" WorkingDirectory: "workDir" Tags: - Key: Type Value: AWS Serverless Function Role: !Ref Role ```