I have an Amazon S3 bucket "my-bucket" on a AWS account. Right now everyone on the account can download and put objects to "my-bucket. However, I would like everyone to be able to download/delete objects from the bucket, and only one service role (lambda) to be able to put objects to the bucket.

The lambda role already have access to PutObjects to the bucket, so I guess I would want to make a bucket policy to only allow my lambda role to PutObjects but still allow everyone else to download/delete objects on the bucket. I am however not sure how that bucket policy would look like. I guess I have to use a condition? Something like?

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"MyRule",
      "Effect": "Deny",
      "Action":["s3:PutObject"],
      "Resource": ["arn:aws:s3:::my-bucket/*", "arn:aws:s3:::my-bucket*"],
      "Condition":{"NOT EQUAL TO LAMBDA ROLE???"}
    }
  ]
}

CodePudding user response：

Bucket policy is resourced based policy so principle can be used to restrict the access to specific identity you can prepare policy like below for everyone to download and delete object

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"PublicReadDelete",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject","s3:DeleteObject"],
      "Resource":["arn:aws-cn:s3:::/*"]
    }
  ]
}

below policy for lambda to put objects

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"LambdaUpload",
      "Effect":"Allow",
      "Principal": "<your lambda function ARN>",
      "Action":["s3:PutObject"],
      "Resource":["arn:aws-cn:s3:::/*"]
    }
  ]
}

you can combine both statement in same policy. you just need replace your lambda function ARN and S3 bucket ARN or name