Relax S3 Put, restrict S3 Get permissions

I learned that an S3 bucket can have only one policy. This application expects to be the primary receiver for a particular domain, configured with its own bucket. As a result, I updated the s3:PutObject policy to allow access to the root of the bucket. At the same time, SAM generates an IAM role for the Lambda function that has its own access policies. Looking at the permissions for S3ReadPolicy, and knowing what I know now, they seemed too generous: - https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-policy-template-list.html#s3-read-policy This commit replaces the S3ReadPolicy with a custom policy only allowing s3:GetObject access to the bucket.
mbland · Apr 28, 2023 · 0826e09 · 0826e09
1 parent 38aabd2
commit 0826e09
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/template.yaml b/template.yaml
@@ -28,8 +28,12 @@ Resources:
       Runtime: go1.x
       Policies:
         - AWSLambdaBasicExecutionRole
-        - S3ReadPolicy:
-            BucketName: !Ref BucketName
+        - Statement:
+            Sid: S3GetObjectPolicy
+            Effect: Allow
+            Action:
+              - "s3:GetObject"
+            Resource: !Sub "arn:${AWS::Partition}:s3:::${BucketName}/*"
         - Statement:
             Sid: SESSendEmailPolicy
             Effect: Allow
@@ -63,7 +67,7 @@ Resources:
               Service: ses.amazonaws.com
             Action:
               - "s3:PutObject"
-            Resource: !Sub "arn:${AWS::Partition}:s3:::${BucketName}/${IncomingPrefix}/*"
+            Resource: !Sub "arn:${AWS::Partition}:s3:::${BucketName}/*"
             Condition:
               ArnEquals:
                 "AWS:SourceArn": !Sub "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:receipt-rule-set/${ReceiptRuleSetName}:receipt-rule/${AWS::StackName}"