diff --git a/pentesting-ci-cd/serverless.com-security.md b/pentesting-ci-cd/serverless.com-security.md
index 908ebdee8..5d61c2b1c 100644
--- a/pentesting-ci-cd/serverless.com-security.md
+++ b/pentesting-ci-cd/serverless.com-security.md
@@ -241,12 +241,18 @@ functions:
 
 ```yaml
 provider:
-  iamRoleStatements:
-    - Effect: Allow
-      Action:
-        - dynamodb:Query
-        - dynamodb:Scan
-      Resource: arn:aws:dynamodb:${self:provider.region}:*:table/my-table
+  [...]
+  iam:
+    role:
+      statements:
+        - Effect: 'Allow'
+          Action:
+            - 'dynamodb:PutItem'
+            - 'dynamodb:Get*'
+            - 'dynamodb:Scan*'
+            - 'dynamodb:UpdateItem'
+            - 'dynamodb:DeleteItem'
+          Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
 ```
 
 </details>
@@ -535,18 +541,62 @@ resources:
 
 Overly permissive IAM roles can grant unauthorized access to cloud resources, leading to data breaches or resource manipulation.
 
+When no permissions are specified for the a Lambda function, a role with permissions only to generate logs will be created, like:
+
+<details>
+
+<summary>Minimum lambda permissions</summary>
+
+```json
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "logs:CreateLogStream",
+                "logs:CreateLogGroup",
+                "logs:TagResource"
+            ],
+            "Resource": [
+                "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*"
+            ],
+            "Effect": "Allow"
+        },
+        {
+            "Action": [
+                "logs:PutLogEvents"
+            ],
+            "Resource": [
+                "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*:*"
+            ],
+            "Effect": "Allow"
+        }
+    ]
+}
+```
+
+
+
+</details>
+
 #### **Mitigation Strategies**
 
 *   **Principle of Least Privilege:** Assign only necessary permissions to each function.
 
     ```yaml
     provider:
-      iamRoleStatements:
-        - Effect: Allow
-          Action:
-            - dynamodb:Query
-            - dynamodb:Scan
-          Resource: arn:aws:dynamodb:${self:provider.region}:*:table/my-table
+      [...]
+      iam:
+        role:
+          statements:
+            - Effect: 'Allow'
+              Action:
+                - 'dynamodb:PutItem'
+                - 'dynamodb:Get*'
+                - 'dynamodb:Scan*'
+                - 'dynamodb:UpdateItem'
+                - 'dynamodb:DeleteItem'
+              Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}
     ```
 * **Use Separate Roles:** Differentiate roles based on function requirements.