AWS S3, IAM Group & Policy Setup

This post is related to an upcoming series that covers making Serverless Apps using Python, AWS Lambda, and API Gateway.

This S3 & IAM Policy works for nearly any project that uses IAM Groups, Users, or Roles that require access to a specific bucket (or buckets).

Enjoy.

Related Posts:

Setup AWS CLI for Local Development

1. Create an S3 Bucket

Navigate to S3
Select Create bucket
Name the bucket something easy to remember for your lambdas. I named mine cfe-lambdas. Bucket names are unique across AWS.
Under region pick a region that's close to you as it will be faster to upload files. We'll use this same region for our lambda functions later. In my case, I am still using `us-west-1.
Allow all the default values. This bucket is mostly internal (aka just for moving our files around AWS)

2. Add new policy to our IAM group (or IAM user)

Navigate to IAM
Select Policies in the sidebar.
Select Create Policy
Select JSON. Enter what you see below changing cfe-lambdas to your bucket name.

json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*Object*",
                "s3:ListBucket",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl",
                "s3:PutObjectVersionAcl",
                "s3:GetBucketLocation",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions"
            ],
            "Resource": [
                "arn:aws:s3:::cfe-lambdas"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*Object*",
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:PutObjectAcl",
                "s3:PutObjectVersionAcl",
                "s3:PutObjectTagging",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload"
            ],
            "Resource": [
                "arn:aws:s3:::cfe-lambdas/*"
            ]
        }
    ]
}

This policy will enable our group to perform actions on this particular bucket (and no other ones). You can always add more buckets if you need to this policy or create a new one too.

Select Review policy and give the policy a name. I used CFE_LAMBDAS_S3_FULL_ACCESS_POLICY.
Select Create policy
Select Groups in the Sidebar
Navigate to the group you created in this post. Mine was LocalDevUsers
Under Permissions > Managed Policies select Attach Policy
Search & select the policy you just created. Mine is CFE_LAMBDAS_S3_FULL_ACCESS_POLICY
Select Attach policy

You should now be able to upload directly to your s3 bucket.

The aws cli command we'll end up using is:

aws s3api put-object --bucket cfe-lambdas --key helloWorld/helloWorldLambda.zip --body helloWorldLambda.zip