My customer wants to create a private access between a Lambda function and Amazon S3.
Therefore we set up:
- Lambda inside a VPC
- VPC Endpoint for Amazon S3
- S3 bucket with Policy
I already tested it. Everything works fine until I add a filtered policy to the endpoint.
What can we add as a principal to filter access via VPC Endpoint for a Lambda only?
Policies:
What works
(If we add this VPCE Policy, then the Lambda can access S3):
{
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
}
]
}
What doesn't work
(If we add this VPC Endpoint Policy, then the Lambda gets an AccessDenied):
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"AROA4JHTAY7WBFYZGH4QV", # ID of the used Lambda role
"123456789012" # Account Id
},
"PrincipalGroup": {
"AWS": "svc:lambda.amazonaws.com" # Lambda service whitelisted itself
},
"Action": "s3:*",
"Resource": "*"
}
]
}