S3 Bucket Policy and Lambda Role

Question

I have an S3 bucket named x-temp-images and a corresponding bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Deny",
            "Principal": {
                "Service": "lambda.amazonaws.com"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::x-temp-images-bucket/*",
            "Condition": {
                "StringNotEquals": {
                    "aws:SourceArn": <LAMBDA_ARN>
                }
            }
        }
    ]
};

I have two Lambda functions:

• one with the desired ARN to access x-temp-images and
• another Lambda function that I don't want to access the x-temp-images bucket.

I have given both Lambda functions full S3 access for testing purposes, while I don't want to specify in each Lambda function role whether they have access to specific S3 buckets or not. Despite this, both Lambda functions can access this bucket, even though I have mentioned only the ARN of the first Lambda function in the S3 bucket policy.

Answer 1

The Condition you have specified in the policy will not work.

If you want to grant an AWS Lambda function permission to access an Amazon S3 bucket, you should grant permission in the IAM Role associated with the Lambda function.

By default, an IAM Role has no permissions. Therefore, no action is required for the IAM Role on the Lambda function that you do not want to access the S3 bucket.

For the Lambda function that you want to have access to the S3 bucket, add permission to its IAM Role.