Home > OS >  Restrict prefix in S3 bucket per Lambda Invocation
Restrict prefix in S3 bucket per Lambda Invocation

Time:08-18

I have a Lambda which writes to an S3 bucket. On each invocation of the Lambda, the function writes to a particular prefix within the bucket (e.g. by timestamp). I want to guarantee a level of security by preventing the Lambda from overwriting other folders created from previous executions.

Is there a way to set access permissions per invocation? I don't think I can use just a policy since those are static. One idea is to change the permissions beforehand but this seems like bad practice. Moreover, this probably won't work if the Lambda runs concurrently. Any ideas?

CodePudding user response:

Reading this question in the context of your other question about running other people's code in the Lambda function, I would recommend:

  • Dynamically create the Lambda function and only use it once (avoids security issues)
  • Do not assign an IAM Role to the Lambda function
  • Instead, create temporary credentials when dynamically creating the Lambda function
    • Create the credentials using AssumeRole but pass a policy that limits the permissions down to only the bucket and path they are permitted to access
    • Pass these temporary credentials as Environment Variables
    • Tell the users that they'll need to grab the credentials from the Environment Variables, and show them some sample code

This way, you are fully in control of the permissions assigned to each dynamically-created Lambda function.

  • Related