Gems/AWSCore/cdk/example/example_resources_stack.py [61:130]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ) # Provide the admin and user groups permissions to read the example S3 bucket. # Cannot use the grant_read method defined by the Bucket structure since the method tries to add to # the resource-based policy but the imported IAM groups (which are tokens from Fn.ImportValue) are # not valid principals in S3 bucket policies. # Check https://aws.amazon.com/premiumsupport/knowledge-center/s3-invalid-principal-in-policy-error/ user_group.add_to_principal_policy( iam.PolicyStatement( actions=[ "s3:GetBucket*", "s3:GetObject*", "s3:List*" ], effect=iam.Effect.ALLOW, resources=[self._s3_bucket.bucket_arn, f'{self._s3_bucket.bucket_arn}/*'] ) ) admin_group.add_to_principal_policy( iam.PolicyStatement( actions=[ "s3:GetBucket*", "s3:GetObject*", "s3:List*" ], effect=iam.Effect.ALLOW, resources=[self._s3_bucket.bucket_arn, f'{self._s3_bucket.bucket_arn}/*'] ) ) # Provide the admin and user groups permissions to invoke the example Lambda function. # Cannot use the grant_invoke method defined by the Function structure since the method tries to add to # the resource-based policy but the imported IAM groups (which are tokens from Fn.ImportValue) are # not valid principals in Lambda function policies. user_group.add_to_principal_policy( iam.PolicyStatement( actions=[ "lambda:InvokeFunction" ], effect=iam.Effect.ALLOW, resources=[self._lambda.function_arn] ) ) admin_group.add_to_principal_policy( iam.PolicyStatement( actions=[ "lambda:InvokeFunction" ], effect=iam.Effect.ALLOW, resources=[self._lambda.function_arn] ) ) # Provide the admin and user groups permissions to read from the DynamoDB table. self._table.grant_read_data(user_group) self._table.grant_read_data(admin_group) def __create_s3_bucket(self) -> s3.Bucket: # Create a sample S3 bucket following S3 best practices # # See https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html # 1. Block all public access to the bucket # 2. Use SSE-S3 encryption. Explore encryption at rest options via # https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html # 3. Enable Amazon S3 server access logging # https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html server_access_logs_bucket = None if self.node.try_get_context('disable_access_log') != 'true': server_access_logs_bucket = s3.Bucket.from_bucket_name( self, f'{self._project_name}-{self._feature_name}-ImportedAccessLogsBucket', - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gems/AWSCore/cdkv1/example/example_resources_stack.py [56:125]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ) # Provide the admin and user groups permissions to read the example S3 bucket. # Cannot use the grant_read method defined by the Bucket structure since the method tries to add to # the resource-based policy but the imported IAM groups (which are tokens from Fn.ImportValue) are # not valid principals in S3 bucket policies. # Check https://aws.amazon.com/premiumsupport/knowledge-center/s3-invalid-principal-in-policy-error/ user_group.add_to_principal_policy( iam.PolicyStatement( actions=[ "s3:GetBucket*", "s3:GetObject*", "s3:List*" ], effect=iam.Effect.ALLOW, resources=[self._s3_bucket.bucket_arn, f'{self._s3_bucket.bucket_arn}/*'] ) ) admin_group.add_to_principal_policy( iam.PolicyStatement( actions=[ "s3:GetBucket*", "s3:GetObject*", "s3:List*" ], effect=iam.Effect.ALLOW, resources=[self._s3_bucket.bucket_arn, f'{self._s3_bucket.bucket_arn}/*'] ) ) # Provide the admin and user groups permissions to invoke the example Lambda function. # Cannot use the grant_invoke method defined by the Function structure since the method tries to add to # the resource-based policy but the imported IAM groups (which are tokens from Fn.ImportValue) are # not valid principals in Lambda function policies. user_group.add_to_principal_policy( iam.PolicyStatement( actions=[ "lambda:InvokeFunction" ], effect=iam.Effect.ALLOW, resources=[self._lambda.function_arn] ) ) admin_group.add_to_principal_policy( iam.PolicyStatement( actions=[ "lambda:InvokeFunction" ], effect=iam.Effect.ALLOW, resources=[self._lambda.function_arn] ) ) # Provide the admin and user groups permissions to read from the DynamoDB table. self._table.grant_read_data(user_group) self._table.grant_read_data(admin_group) def __create_s3_bucket(self) -> s3.Bucket: # Create a sample S3 bucket following S3 best practices # # See https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html # 1. Block all public access to the bucket # 2. Use SSE-S3 encryption. Explore encryption at rest options via # https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html # 3. Enable Amazon S3 server access logging # https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html server_access_logs_bucket = None if self.node.try_get_context('disable_access_log') != 'true': server_access_logs_bucket = s3.Bucket.from_bucket_name( self, f'{self._project_name}-{self._feature_name}-ImportedAccessLogsBucket', - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -