Accessing S3 bucket from Lambda

1

Hi, I am trying to write to S3 bucket from a Lambda function after setting up the required permissions & roles but I am getting the below error:

"errorMessage": "An error occurred (AccessDenied) when calling the PutObject operation: Access Denied",

Below is my policy file and I have assigned the associated role in Lambda function execution role. Any pointers on what I am missing here, would be really helpful. Thanks.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:PutAnalyticsConfiguration", "s3:PutAccessPointConfigurationForObjectLambda", "s3:GetObjectVersionTagging", "s3:DeleteAccessPoint", "s3:CreateBucket", "s3:DeleteAccessPointForObjectLambda", "s3:GetStorageLensConfigurationTagging", "s3:ReplicateObject", "s3:GetObjectAcl", "s3:GetBucketObjectLockConfiguration", "s3:DeleteBucketWebsite", "s3:GetIntelligentTieringConfiguration", "s3:PutLifecycleConfiguration", "s3:GetObjectVersionAcl", "s3:DeleteObject", "s3:CreateMultiRegionAccessPoint", "s3:GetBucketPolicyStatus", "s3:GetObjectRetention", "s3:GetBucketWebsite", "s3:GetJobTagging", "s3:GetMultiRegionAccessPoint", "s3:PutReplicationConfiguration", "s3:GetObjectAttributes", "s3:PutObjectLegalHold", "s3:InitiateReplication", "s3:GetObjectLegalHold", "s3:GetBucketNotification", "s3:PutBucketCORS", "s3:DescribeMultiRegionAccessPointOperation", "s3:GetReplicationConfiguration", "s3:PutObject", "s3:GetObject", "s3:PutBucketNotification", "s3:DescribeJob", "s3:PutBucketLogging", "s3:GetAnalyticsConfiguration", "s3:PutBucketObjectLockConfiguration", "s3:GetObjectVersionForReplication", "s3:GetAccessPointForObjectLambda", "s3:GetStorageLensDashboard", "s3:CreateAccessPoint", "s3:GetLifecycleConfiguration", "s3:GetInventoryConfiguration", "s3:GetBucketTagging", "s3:PutAccelerateConfiguration", "s3:GetAccessPointPolicyForObjectLambda", "s3:DeleteObjectVersion", "s3:GetBucketLogging", "s3:RestoreObject", "s3:GetAccelerateConfiguration", "s3:GetObjectVersionAttributes", "s3:GetBucketPolicy", "s3:PutEncryptionConfiguration", "s3:GetEncryptionConfiguration", "s3:GetObjectVersionTorrent", "s3:AbortMultipartUpload", "s3:GetBucketRequestPayment", "s3:GetAccessPointPolicyStatus", "s3:UpdateJobPriority", "s3:GetObjectTagging", "s3:GetMetricsConfiguration", "s3:GetBucketOwnershipControls", "s3:DeleteBucket", "s3:PutBucketVersioning", "s3:GetBucketPublicAccessBlock", "s3:GetMultiRegionAccessPointPolicyStatus", "s3:PutIntelligentTieringConfiguration", "s3:GetMultiRegionAccessPointPolicy", "s3:GetAccessPointPolicyStatusForObjectLambda", "s3:PutMetricsConfiguration", "s3:PutBucketOwnershipControls", "s3:DeleteMultiRegionAccessPoint", "s3:UpdateJobStatus", "s3:GetBucketVersioning", "s3:GetBucketAcl", "s3:GetAccessPointConfigurationForObjectLambda", "s3:PutInventoryConfiguration", "s3:GetObjectTorrent", "s3:GetStorageLensConfiguration", "s3:DeleteStorageLensConfiguration", "s3:PutBucketWebsite", "s3:PutBucketRequestPayment", "s3:PutObjectRetention", "s3:CreateAccessPointForObjectLambda", "s3:GetBucketCORS", "s3:GetBucketLocation", "s3:GetAccessPointPolicy", "s3:ReplicateDelete", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::<my-bukcet-name>" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:GetAccessPoint", "s3:GetAccountPublicAccessBlock", "s3:PutStorageLensConfiguration", "s3:CreateJob" ], "Resource": "*" } ] } Regards, dbeings

dbeing
asked 3 months ago66 views
1 Answer
1
Accepted Answer

Hi. To start, this seems like way too many permissions that your Lambda function does not need. At all.I would encourage you to remove 90% of the permissions that are set here.

With that said, assuming your policy does not actually read <my-bucket-name> in the resource, two things: For bucket level actions, having arn:aws:s3:::<bucket-name> is fine, but for objects, you need to indicate the path. For example, for all objects in the bucket, you would have arn:aws:s3:::<bucket-name>/*

Also note that if you are encrypting files in the bucket with a CMK (a KMS key that you created manually yourself, not the aws/s3 one), you need to provide the services (lambda, scripts etc.) also with access to that KMS key in order to manipulate the encryption of the files (encrypt or decrypt or both).

Hope this helps.

profile picture
answered 3 months ago
  • Thanks a lot. Adding object level permission to resource fixed this as below:

    "Resource": [ "arn:aws:s3:::<my-bucket-name>", "arn:aws:s3:::<my-bucket-name>/*" ]

    On broad level of permissions, these are auto-generated when I selected read and write permission on the console for Lambda access to S3. Thanks, will check on this.

    Regards, dbeing

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions