The Serverless Application Model (SAM) is a transformation that turns abstracted resources like AWS::Serverless::Function into vanilla CloudFormation; it does not provide any new capabilities. What is happening here is that SAM creates a broad permission — instead of letting the bucket invoke your function, it lets any S3 bucket in your account invoke your function, violating the best practice of least privilege. You can see the details in the SAM translator here:

Cloud Robotics Research Scientist at @iRobot

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store