A generic S3 bucket policy for applications | by Teri Radichel | Cloud Security | October 2023


ACM.350 Grant access to Lambda in an S3 bucket policy

Part of my series on Automation of cybersecurity measures. Batch job security. I AM. S3. Deploy a static website. THE Coded.

Free content on Cybersecurity Jobs | Register at Broadcast list

In the last article, I modified the generic application policy used by our Lambda functions to manage S3 read and write buckets.

In this article, I will try to modify our existing S3 bucket template to allow applications to access S3 buckets.

Remember that I have a generic bucket template. I plan to change some things in this model later. I don’t like that it uses account numbers in bucket names, but this was a workaround for another issue for testing purposes. We don’t really need to change this bucket model. We have already used it to deploy the S3 bucket in a previous article which will host our test website.

What we need to add is an AWS Bucket policy. The CloudFormation for this looks like this:


Note that I’m getting an error on this page at the moment, but I’m sure AWS will fix it shortly. I am currently using page caching in Google.

Here is the example bucket policy on the page:

We’ve explored what we need to add to this policy to allow cross-account access to a user. We can do the same thing with a role ARN.

Leave a comment