The situation is:
A lambda function is created using a SAM/CloudFormation. A policy is attached to allow this function to access an existing bucket (in the same region). This looks somehow like this:

  MyFunction:

    Type: AWS::Serverless::Function
    Properties:
    .....
    Policies:
        - Statement:
          - Effect: Allow
            Action:
              - "s3:ListBucket"
              - "s3:PutObject"
              - "s3:GetObject"

            Resource: 
              - "arn:aws:s3:::my-great-existing-bucket"
              - "arn:aws:s3:::my-great-existing-bucket/*"

This means: Without modifying the policy of the existing bucket, the newly created lambda-function will now have access to that bucket.

But in this case this already existing bucket is additionally encrypted with an existing customer managed KMS key (again in the same region) so access will still be denied to the Lambda function.
The goal would be to add the policy to use that existing key also directly to cloud-formation template.
I found this link: https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html

My interpretation would be, that the named goal would usually be achieved only the other way round: You need to modify the policy of the KMS-key. But they Key is of course not managed via the Cloud Formation Stack and therefore not manageable here (or am I wrong about that?).

So the only way to achieve it would be to activate general IAM Policies for the KMS-key? https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
Is that understanding correct?

CodePudding user response：

So the only way to achieve it would be to activate general IAM Policies for the KMS-key?

Yes. That's correct. If your customer managed KMS key does not have it, you have to modify KMS policy to allow lambda role. If you activate general IAM Policies, then you can just modify the lambda execution role with permissions to the KMS key.