"s3:ListBucket" is required to get objects

eleven41 / aws-lambda-encrypt-s3-objects

An AWS Lambda function to encrypt S3 objects using server-side AES256 encryption as they are added to the bucket.

MIT License

18 stars 15 forks source link

Open airbone42 opened 8 years ago

mwhouser commented 8 years ago

What failed if s3:ListBucket was missing?

airbone42 commented 8 years ago

We got a Forbidden for retrieving the object head.

mwhouser commented 8 years ago

Please re-check.

s3.getHead should only require s3:GetObject. I just retested and my policy does not include s3:ListBucket. s3.getHead worked fine.

Is your source bucket in a different region/account or something else unusual?

airbone42 commented 8 years ago

We're working in eu-central-1. The AWS business support brought us to this point. Not sure if it's region-specific.

mwhouser commented 8 years ago

I tried it now in eu-central-1 and again it worked fine without the s3:ListObjects command.

Give your lambda another try with the s3:ListObjects removed. Just have the policy outlined.