AWS IAM Policies: How do I alter the AWSLambdaFullAccess policy to only allow access to one S3 bucket?

1
votes

I'm working with my IT team to restrict my user account (under a root account) so that it doesn't have access to S3 buckets I don't want access to. When enabling the AWSLambdaFullAccess policy, it enables full access to a lot of AWS features, including all of S3. Here is the AWSLambdaFullAccess policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:*",
        "cognito-identity:ListIdentityPools",
        "cognito-sync:GetCognitoEvents",
        "cognito-sync:SetCognitoEvents",
        "dynamodb:*",
        "events:*",
        "iam:ListAttachedRolePolicies",
        "iam:ListRolePolicies",
        "iam:ListRoles",
        "iam:PassRole",
        "kinesis:DescribeStream",
        "kinesis:ListStreams",
        "kinesis:PutRecord",
        "lambda:*",
        "logs:*",
        "s3:*",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTopics",
        "sns:Subscribe",
        "sns:Unsubscribe"
      ],
      "Resource": "*"
    }
  ]
}

Most of that is fine. How would I alter this as a new policy so that I only have access to the "arn:aws:s3:::lambda-scripts" bucket?

2
amazon-web-servicesamazon-s3aws-lambda

2 Answers

4
votes

The most direct edit I can think of would involve removing the "s3:*" action from the statement you have, and adding a second statement that grants S3 access to just that bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:*",
        "cognito-identity:ListIdentityPools",
        "cognito-sync:GetCognitoEvents",
        "cognito-sync:SetCognitoEvents",
        "dynamodb:*",
        "events:*",
        "iam:ListAttachedRolePolicies",
        "iam:ListRolePolicies",
        "iam:ListRoles",
        "iam:PassRole",
        "kinesis:DescribeStream",
        "kinesis:ListStreams",
        "kinesis:PutRecord",
        "lambda:*",
        "logs:*",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTopics",
        "sns:Subscribe",
        "sns:Unsubscribe"
      ],
      "Resource": "*"
    },
    {
        "Sid": "S3LambdaScripts",
        "Effect": "Allow",
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::lambda-scripts*"
        ]
    }
  ]
}

A better answer is that you really should not use the predefined AWSLambdaFullAccess permission. Instead, build your own using multiple statements targeting the services and resources you really need. For example, are you really using Dynamo, Kinesis, Cognito, etc? Yes, it's tedious. But if you save the smaller increments as user-defined policies in IAM, it gets easier to piece together a reasonable policy from custom and predefined stuff.

0
votes

Split the S3 permissions into separate statements, and modify the resource setting for those statements. Something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:*",
        "cognito-identity:ListIdentityPools",
        "cognito-sync:GetCognitoEvents",
        "cognito-sync:SetCognitoEvents",
        "dynamodb:*",
        "events:*",
        "iam:ListAttachedRolePolicies",
        "iam:ListRolePolicies",
        "iam:ListRoles",
        "iam:PassRole",
        "kinesis:DescribeStream",
        "kinesis:ListStreams",
        "kinesis:PutRecord",
        "lambda:*",
        "logs:*",
        "sns:ListSubscriptions",
        "sns:ListSubscriptionsByTopic",
        "sns:ListTopics",
        "sns:Subscribe",
        "sns:Unsubscribe"
      ],
      "Resource": "*"
    },
    {
       "Effect":"Allow",
       "Action":[
          "s3:ListBucket",
          "s3:GetBucketLocation"
       ],
       "Resource":"arn:aws:s3:::lambda-scripts"
      },
    {
     "Effect": "Allow",
     "Action": [        
       "s3:PutObject",
       "s3:GetObject",
       "s3:DeleteObject"
     ],
     "Resource": "arn:aws:s3:::lambda-scripts/*"
    }
  ]
}