You are developing a Lambda in your Dev1 account, the purpose of this Lambda is to save QR codes in two S3 buckets, one bucket (BucketDev1) is in the same account as the Lambda and the second bucket (BucketDev2) is in other AWS account called Dev2
A requirement is to only allow this specified Lambda from Dev1 to create objects in BucketDev2. What do you need to grant access to this Lambda function for both S3 buckets?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: B.
Option A is incorrect because when you need to access a S3 bucket from an external account, you need to specify in the bucket policy an allowed statement with the ARN of the AWS Account as principal.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3bucketLambda",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::YOURBUCKETHERE/*"
],
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:role/LambdaRole123"
]
}
}
]
}
Option B is CORRECT because, you don't need to write a bucket policy to access S3 bucket if the resource is in the same account and it has the permission to access the S3 bucket in the attached role or policy.
With the bucket policy in the second account the Lambda from the first account can access BucketDev2
More details: https://aws.amazon.com/premiumsupport/knowledge-center/lambda-execution-role-s3-bucket/
Option C is incorrect because of the AWS IAM Logic and Hierarchy an explicit denial in any policy overrides any allowed statement.
So with this approach in the end, the bucket has a denial for Lambda to access the bucket BucketDev2
More details: https://aws.amazon.com/premiumsupport/knowledge-center/iam-policy-tags-deny/
Option D is incorrect because if the S3 bucket is in a different account it will need a bucket policy to allow resources from other accounts to access it.
The correct answer is B.
To grant access to the Lambda function to write objects in both S3 buckets, you need to create an IAM role that allows the Lambda function to write to S3 buckets and then create bucket policies that allow access to the S3 buckets.
Option A is incorrect because it allows the S3-Lambda role to write to any S3 bucket. This policy does not restrict access to the specific S3 buckets that need to be accessed. Also, BucketDev1 should not be restricted to only resources with the S3-Lambda role as other resources may need to write to it.
Option C is incorrect because it denies access to all resources with the S3-Lambda role in the Dev1 account to write to any S3 bucket. This policy effectively blocks access to the specified bucket, which is not what is required. The second statement also allows the specified Lambda function from Dev1 account to write in the specified bucket in Dev2 account, but it does not restrict access to other buckets.
Option D is incorrect because it creates two policies instead of creating a single role with a policy that allows access to both S3 buckets.
Therefore, the correct approach is to:
The policy for BucketDev2 should look like this:
json{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::Dev1-account-ID:role/S3-Lambda" }, "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl" ], "Resource": [ "arn:aws:s3:::BucketDev2/*", "arn:aws:s3:::BucketDev2" ] } ] } This policy allows the S3-Lambda role from Dev1 account to write objects to the specified bucket, BucketDev2. The policy also grants access to the specified bucket and all objects within it.
Note that the ARN of the IAM role needs to be updated with the Dev1 account ID.