in src/index.ts [538:591]
addSourceBucket(bucket: Bucket) {
this._scanFunction.addEventSource(
new S3EventSource(bucket, { events: [EventType.OBJECT_CREATED] }),
);
bucket.grantRead(this._scanFunction);
this._scanFunction.addToRolePolicy(
new PolicyStatement({
effect: Effect.ALLOW,
actions: ['s3:PutObjectTagging', 's3:PutObjectVersionTagging'],
resources: [bucket.arnForObjects('*')],
}),
);
if (this._scanFunction.role) {
const stack = Stack.of(this);
const scan_assumed_role = `arn:${stack.partition}:sts::${stack.account}:assumed-role/${this._scanFunction.role.roleName}/${this._scanFunction.functionName}`;
const scan_assumed_principal = new ArnPrincipal(scan_assumed_role);
this._s3Gw.addToPolicy(
new PolicyStatement({
effect: Effect.ALLOW,
actions: ['s3:GetObject*', 's3:GetBucket*', 's3:List*'],
resources: [bucket.bucketArn, bucket.arnForObjects('*')],
principals: [this._scanFunction.role, scan_assumed_principal],
}),
);
this._s3Gw.addToPolicy(
new PolicyStatement({
effect: Effect.ALLOW,
actions: ['s3:PutObjectTagging', 's3:PutObjectVersionTagging'],
resources: [bucket.arnForObjects('*')],
principals: [this._scanFunction.role, scan_assumed_principal],
}),
);
// Need the assumed role for the not Principal Action with Lambda
bucket.addToResourcePolicy(
new PolicyStatement({
effect: Effect.DENY,
actions: ['s3:GetObject'],
resources: [bucket.arnForObjects('*')],
notPrincipals: [this._scanFunction.role, scan_assumed_principal],
conditions: {
StringEquals: {
's3:ExistingObjectTag/scan-status': [
'IN PROGRESS',
'INFECTED',
'ERROR',
],
},
},
}),
);
}
}