The Serverless Application Model (SAM) is a transformation that turns abstracted resources like AWS::Serverless::Function into vanilla CloudFormation; it does not provide any new capabilities. What is happening here is that SAM creates a broad permission — instead of letting the bucket invoke your function, it lets any S3 bucket in your account invoke your function, violating the best practice of least privilege. You can see the details in the SAM translator here: https://github.com/awslabs/serverless-application-model/blob/master/samtranslator/model/eventsources/push.py#L197