Getting AWS Lambda access to private S3 resource

0
votes

We have been trying to crack an issue with resource permissions related to S3 and Lambda.

We have a root account which inturn has - Account A - Bucket owner Account B - Used to upload (through CORS) and give access to S3 images ROLE L - We have a lambda function which assigned this role with Full S3 access

The buckets have access policy like below -

{
"Version": "2012-10-17",
"Id": "Policyxxxxxxxxx",
"Statement": [
    {
        "Sid": "Stmt44444444444",
        "Effect": "Deny",
        "NotPrincipal": {
            "AWS": [
                "arn:aws:iam::xxxxxxxxxxxx:user/account-A",
                "arn:aws:iam::xxxxxxxxxxxx:role/role-L"
            ]
        },
        "Action": [
            "s3:*",
        ],
        "Resource": [
            "arn:aws:s3:::bucket",
            "arn:aws:s3:::bucket/*"
        ]
    }
]

}

The issue - The lambda is able to access S3 resource only if object ACL is set to Public/read-only. But Lambda fails when the resource is set to 'private'.

Bucket policy just gives access to the bucket. Is there a way to give Role L read access to the resource?

1
amazon-s3aws-lambdaamazon-iam

1 Answers

2
votes

Objects stored in Amazon S3 buckets are private by default. There is no need to use a Deny policy unless you wish to override another policy that grants access to the content.

I would recommend:

  • Remove your Deny policy
  • Create an IAM Role for your AWS Lambda function and grant permission to access the S3 bucket within that role.

Feel free to add a Bucket Policy for normal use as appropriate, but that should not impact your Lambda function's access that is granted via the Role.