My current S3 bucket policy enables s3:getObject and s3:putObject globally and I am trying to restrict that by specifying a bucket policy.
While s3:getObject is safe, I would like to restrict access to s3:putObject only to a particular AWS Lambda function.
The function gets triggered anonymously via a HTTP request to CloudFront, so there is no AWS user involved.
How to restrict the access via the Lambda's ARN identifier?
Current policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:getObject",
"Resource": "arn:aws:s3:::{bucket_name}/*"
},
{
"Sid": "LambdaPutObject",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:putObject",
"Resource": "arn:aws:s3:::{bucket_name}/*"
}
]
}
Actually, all that was required was to create an access policy for Lambda. There are predefined ones, like lambda_basic_execution.
The role config can be found in the AWS console inside:
Lambda > Functions > {name} > Roles
IAM > Roles
Here is a specific config that helped me:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{bucket_name}/*"
}
]
}