What IAM policies were used for the AWS Transfer Family managed workflows video tutorial?

The following IAM policies can be used for the video's demo's AWS Transfer Family workflow execution roles. For more information, read Construct an execution role for workflows , and create an IAM role with a trust policy for transfer.amazonaws.com.

Demo 1

This demo covers AWS Transfer Family copy and tag steps. The workflow copies an object to an archive bucket and tags the object. Copy requires reading from the source bucket, writing to the destination bucket, and HeadObject access. Tagging requires two actions since the S3 bucket has versioning enabled, and can be limited to a condition with the specific tag the workflow is applying. If doing this in your environment, ensure your IAM policy resources are set to the most restrictive for your workflow.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CopyRead",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectTagging"
            ],
            "Resource": "arn:${Partition}:s3:::${SourceBucketName}/${ObjectName}"
        },
        {
            "Sid": "CopyWrite",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectTagging"
            ],
            "Resource": "arn:${Partition}:s3:::${DestinationBucketName}/${ObjectName}"
        },
        {
            "Sid": "CopyList",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": [
                "arn:${Partition}:s3:::${SourceBucketName}",
                "arn:${Partition}:s3:::${DestinationBucketName}"
            ]
        },
        {
            "Sid": "Tag",
            "Effect": "Allow",
            "Action": [
                "s3:PutObjectTagging",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": "arn:${Partition}:s3:::${DestinationBucketName}/${ObjectName}",
            "Condition": {
                "StringEquals": {
                    "s3:RequestObjectTag/Archive": "yes"
                }
            }
        }
    ]
}

Demo 2

This demo covers AWS Transfer Family workflow custom and delete steps. The workflow invokes an AWS Lambda function, then deletes the S3 object, and has a custom step as an exception handler. It requires s3:DeleteObject access and lambda:InvokeFunction access for the two AWS Lambda functions. If doing this in your environment, ensure your IAM policy resources are set to the most restrictive for your workflow.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Delete",
            "Effect": "Allow",
            "Action": [
                "s3:DeleteObject"
            ],
            "Resource": "arn:${Partition}:s3:::${BucketName}/${ObjectName}"
        },
        {
            "Sid": "Custom",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}",
                "arn:${Partition}:lambda:${Region}:${Account}:function:${FunctionName}"
            ]
        }
    ]
}