Thanks for this helpful article! It is shameful that ServerIess Framework officially suggests using the AdministratorAccess policy.
Your policies may have worked at the time, but I needed to make some modifications to get this working today:
* Made the S3 bucket prefix sampleproject-* as Serverless provides a unique identifier.
* Removed OPTIONS and HEAD from the API Gateway permissions, which no longer seem to be valid.
* restapis -> apis
* Added iam:CreateRole, iam:DeleteRole, iam:DeleteRolePolicy, iam:GetRole, and iam:PutRolePolicy to the CloudFormation policy.
* Removed the dangling comma on line 37 of the CloudFormation policy.