For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-serverless-function-without-unique-iam-role.md.
A documentation index is available at /llms.txt.
Sharing an IAM execution role across multiple AWS Serverless functions increases blast radius and can give unrelated functions identical privileges, making privilege escalation or lateral movement easier if one function is compromised. For AWS::Serverless::Function resources, the Properties.Role value must be unique for each function and should reference a function-specific IAM role ARN. This rule flags Resources.<name>.Properties.Role when the same Role value is assigned to more than one AWS::Serverless::Function. Fix this by defining a distinct AWS::IAM::Role per function (or omitting Role to let AWS SAM create unique roles) and applying least-privilege policies to each role.
AWSTemplateFormatVersion:'2010-09-09'Transform:AWS::Serverless-2016-10-31Description:AWS SAM template with a simple API definitionResources:Function3:Type:AWS::Serverless::FunctionProperties:PackageType:ImageImageUri:account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-nameImageConfig:Command:- "app.lambda_handler"EntryPoint:- "entrypoint1"WorkingDirectory:"workDir"Tags:- Key:TypeValue:AWS Serverless FunctionRole:arn:aws:iam::123456789012:role/lambda-role
AWSTemplateFormatVersion:'2010-09-09'Transform:AWS::Serverless-2016-10-31Description:AWS SAM template with a simple API definitionResources:Function1:Type:AWS::Serverless::FunctionProperties:PackageType:ImageImageUri:account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-nameImageConfig:Command:- "app.lambda_handler"EntryPoint:- "entrypoint1"WorkingDirectory:"workDir"Tags:- Key:TypeValue:AWS Serverless FunctionRole:!Ref Role2Function2:Type:AWS::Serverless::FunctionProperties:PackageType:ImageImageUri:account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-nameImageConfig:Command:- "app.lambda_handler"EntryPoint:- "entrypoint1"WorkingDirectory:"workDir"Tags:- Key:TypeValue:AWS Serverless FunctionRole:!Ref Role4
Non-Compliant Code Examples
AWSTemplateFormatVersion:'2010-09-09'Transform:AWS::Serverless-2016-10-31Description:AWS SAM template with a simple API definitionResources:Function1:Type:AWS::Serverless::FunctionProperties:PackageType:ImageImageUri:account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-nameImageConfig:Command:- "app.lambda_handler"EntryPoint:- "entrypoint1"WorkingDirectory:"workDir"Tags:- Key:TypeValue:AWS Serverless FunctionRole:arn:aws:iam::123456789012:role/lambda-roleFunction2:Type:AWS::Serverless::FunctionProperties:PackageType:ImageImageUri:account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-nameImageConfig:Command:- "app.lambda_handler"EntryPoint:- "entrypoint1"WorkingDirectory:"workDir"Tags:- Key:TypeValue:AWS Serverless FunctionRole:arn:aws:iam::123456789012:role/lambda-role
AWSTemplateFormatVersion:'2010-09-09'Transform:AWS::Serverless-2016-10-31Description:AWS SAM template with a simple API definitionResources:Function1:Type:AWS::Serverless::FunctionProperties:PackageType:ImageImageUri:account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-nameImageConfig:Command:- "app.lambda_handler"EntryPoint:- "entrypoint1"WorkingDirectory:"workDir"Tags:- Key:TypeValue:AWS Serverless FunctionRole:!Ref RoleFunction2:Type:AWS::Serverless::FunctionProperties:PackageType:ImageImageUri:account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-nameImageConfig:Command:- "app.lambda_handler"EntryPoint:- "entrypoint1"WorkingDirectory:"workDir"Tags:- Key:TypeValue:AWS Serverless FunctionRole:!Ref Role
1
2
rulesets:- CloudFormation / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
