Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Relax S3 Put, restrict S3 Get permissions
I learned that an S3 bucket can have only one policy. This application expects to be the primary receiver for a particular domain, configured with its own bucket. As a result, I updated the s3:PutObject policy to allow access to the root of the bucket. At the same time, SAM generates an IAM role for the Lambda function that has its own access policies. Looking at the permissions for S3ReadPolicy, and knowing what I know now, they seemed too generous: - https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-template-list.html#s3-read-policy This commit replaces the S3ReadPolicy with a custom policy only allowing s3:GetObject access to the bucket.
- Loading branch information