Make your apps more secure - SAM Policy Templates

Just when you thought we were still in an ice cave in Alaska, here is another amazing SAM feature to make your apps very secure:

Introducing Policy Templates

AWS Managed Policies are a simple mechanism to give your Lambda Function permission to access AWS resources. For example, AmazonDynamoDBFullAccess gives permission to access DynamoDB Tables. More precisely, this will give your function access to all DynamoDB APIs against all
DynamoDB tables in all regions. This is excessively permissive when all that your function does is Read & Write values from one table.

SAM provides a tighter and more secure version of AWS Managed Policies called Policy Templates. This are a set of readily availbale policies that can be scoped to a specific resource in the same region where your stack exists. The following example gives your function CRUD access to just one table defined in your stack,

  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      ...
      Policies:

        # Give just CRUD permissions to one table
        - DynamoDBCrudPolicy:
            TableName: !Ref MyTable

      ...

  MyTable:
    Type: AWS::Serverless::SimpleTable

Checkout https://github.com/awslabs/serverless-application-model/blob/master/docs/policy_templates.rst for more information

Lots more to come.. Stay tuned! 📻

Globals, Safe Lambda Deployments, Lambda Versions & Aliases, Local Lambda execution 🐿

What's New?

In the last few months, we moved out of our cozy offices into a ice cave somewhere in Alaska to cut out from the noise and focus on one thing - innovate and deliver some awesome SAM features for you. If this Github page was quiet for a while, this is the reason. To break the silence, here are some amazing features we have just launched:

Safe Lambda Deployments
SAM integrates with AWS CodeDepoy to provide safe, gradual, traffic-shifting deployments for your Lambda functions. You can stop worrying and start pushing code to production with confidence!

MyLambdaFunction:
  Type: AWS::Serverless::Function
  Properties:
     ...
     DeploymentPreference:
       Type: Canary10Percent10Minutes

Read more about Safe Lambda Deployments here

Lambda Versions & Aliases
SAM provides a dead simple way to publish new versions on every code push and use an Alias to point to the latest version. Just add the following property to Serverless::Function resource:

AutoPublishAlias: live

The above property will create a new Alias called live, point all your event sources to the Alias, automatically publish a new Lambda Version every time you push new code, and point the Alias to the latest version. This can be used stand alone but the real power comes when you combine it with DeploymentPreference to do gradual shifting of traffic from your old version to new version, monitoring Alarms, and trigger rollbacks if something goes wrong.

Read more about AutoPublishAlias here

Globals
You can now define all common properties of Serverless Function in one place and let every function inherit it. You can even override some properties or add additional values at the specific function level. The following example enables safe deployments for all your functions and environment variables that are shared with all the functions!

Globals:
  Function:
    Runtime: nodejs6.10
    Timeout: 60
    Environment:
      Variables:    
         DbConnection: mysql://somewhere
     AutoPublishAlias: live
     DeploymentPreference:
       Type: Canary10Percent10Minutes

Resources:
  MyLambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Environment:
        Variables:    
          TableName: mytable   

Read more about Globals here

SAM Local CLI
Run Lambda functions locally on your computer by starting with a simple SAM template. This is launched couple of months back but still worth mentioning because it makes your life so much easier.

Installation:

npm install -g aws-sam-local

Checkout https://github.com/awslabs/aws-sam-local for how to use it.

More to come

Actually, this is just a start. We have a lot more features (spoiler alert: API Gateway logging, CORS, more..) coming out real soon

👩‍💻👨‍💻 => 🐿

AWS Serverless Application Model (AWS SAM) Now Supports AWS X-Ray

The AWS Serverless Application Model (AWS SAM) has introduced AWS X-Ray support. You can now configure the X-Ray tracing mode for your Lambda functions within your SAM template. X-Ray helps you analyze and debug distributed applications. With X-Ray, you can identify the root cause of performance issues and errors in your Lambda functions.

Read More here: https://aws.amazon.com/about-aws/whats-new/2017/06/aws-serverless-application-model-aws-sam-now-supports-x-ray/

AWS Serverless Application Model Supports Inline Swagger and AWS CloudFormation Intrinsic Functions

New set of super-powers for SAM. Read about it here:

https://aws.amazon.com/about-aws/whats-new/2017/02/aws-serverless-application-model-aws-sam-supports-inline-swagger-and-aws-cloudformation-intrinsic-functions/