Currently IAM for lambda functions is done via serverless role/policy creation in serverless.yaml.

Would be a huge QoL improvement to simplify the creation of lambda roles for easier adherence to principle of least privilege.

This could be done by including a number of default lambda roles (EG if lambda layers are used, they always require lambda:getLayerVersion) with a fill-in-the-blanks section for the ARN of the resource as necessary.

Alternatively, a quick(ish) IAM win would be to include the creation of a policy and role for the tutorial in serverless.yaml.

Possibly related, I haven't deployed, but my understanding from the code is that a number of IAM policies are being to the lambda role from:

Those policies are likely very over-privileged for the needs of the lambdas and would benefit from being scoped down to more restrictive custom policies.

@0xdabbad00 This is essentially what spawned the initial issue.

We can edit policies via serverless.yaml in essentially the same manner as with a cloudformation template but the current tutorial/defaults is, like you mentioned, in need of a more restrictive scope.

One method I use with my cloudformation policies is to create baseline policies for common-use items (Lambda Layers, Cloudwatch logging, etc.) that don't require as much care when restricting via resource ARN. Makes it easy to dump into custom roles when most the functionality already exists to be placed in a role via a managed policy. I'll see about pushing this in a PR once I'm a little further along.